I'm trying to setup at iterative identity policy for EAP-TLS authentication. Basically I'd like one rule to be tested then based on the result either proceed to authorization policy evaluation or go to the next identity policy rule.
For example, I have a certificate with no SubjAltName values and a dNSHostName in the subject, issued by a Win2008 R2 CA. I'm actually expecting identity matching to fail for this particular certificate, by the way.
I have a list of cert-auth based identity policies, each tied to a unique certificate authentication profile. Resembles something like this -
- use SAN 'other name' value from certificate
- use SAN 'mail' value from certificate
- use all SAN values from certificate
- use Subject value from certificate
- use Common Name value from certificate
Each policy rule matches 'EAP-TLS' as the eap auth method and 'x509_PKI' as the auth method.
I've tried re-arranging the order of the identity policy rules. I've also tried altering the values for the Advanced Options (continue vs. reject vs. drop) if auth fails, user not found, or process failed.
Regardless, I find that for the certificate in question identity policy evaluation never goes past the 1st rule. In the case of the no SAN / dNSHostName subject certificate, identity policy evaluation essentially stops b/c 'principal username attribute is missing in client certificate'. While I expect this to happen, my expectation is that the identity policy evauation process will go on to rule #2. However it does not.
It's very possible that I'm defining these policies in correctly. Hopefully someone can lend some guidance.
Thanks.
