EAP-TLS Computer Authetication Failing

MaErre21325 — Fri, 23 Jun 2023 07:49:25 GMT

Hi,

I have configured ise to accept both machine and user certificate authentications and mab device management.
The user and mab certificate authentications are working properly, so both the ISE, switch and supplicant side configuration of the pc are ok.
Authentications with computer certificate on the other hand do NOT work, my client generated and manages the certificates from Intune, and as CN it passes me the GUID of intune and as SAN the machine name, unfortunately though I get denies because I think the ise can't read/find in AD the machine name and so the process fails.
I have already done the integration of Intune as external MDM but I don't understand how to unlock this situation, does anyone have any ideas?
I'm mainly investigating the supplicant and the certificate structure, but I don't understand what it could be and how I could fix the configuration (for some reason client doesn't want to pass the device id as CN but wants the GUID)

Thanks
Regards

Re: EAP-TLS Computer Authetication Failing

Aref Alsouqi — Fri, 23 Jun 2023 15:51:13 GMT

If the machine name is populated in the SAN then I think you can change the certificate attribute in the certificate authentication policy (CAP) in ISE to lookup for the SAN rather than the CN value. To change that click on the drop down menu and select Subject Alternative Name - DNS or Other Name.

topic Re: EAP-TLS Computer Authetication Failing in Network Access Control

EAP-TLS Computer Authetication Failing

Re: EAP-TLS Computer Authetication Failing