Solved: authorization policy based on Machine cert,(SAN Value) and Also User Authentication with Any connect...

azhar_eaggle1 · ‎12-17-2018

authorization policy based on Machine cert,(SAN Value) and Also User Authentication with Any connect NAM Module ?

As Machine Authentications with always happen first, and then User Authentication, can we authorize policies based on machine Cert ? and also wants to do user Authentication ?

we will have two Type of machine Cert Differentiated with SAN Valve and single AD Group, and we want to authorize based on Machine cert(SAN Valve) and also user authentication, is this Possible ? if yes , how it will work ?

hslai · ‎12-17-2018

Please start with this guide -- How To: Deploy EAP Chaining with AnyConnect NAM and ISE

And, try it out in your lab. I have no existing setup for EAP Chaining so it would take me some time to do it.

View solution in original post

hslai · ‎01-10-2019

I am not in the community support duty this week so I am not monitoring the forum.

Assuming you meant the Windows computers have a DNS entry in the certificate SAN field, such as

corp1.prod.demo.local or guest2.test.demo.local

And, the users authenticate via password.

Below is a sample policy set and results.

View solution in original post

hslai · ‎12-17-2018

Please start with this guide -- How To: Deploy EAP Chaining with AnyConnect NAM and ISE

And, try it out in your lab. I have no existing setup for EAP Chaining so it would take me some time to do it.

azhar_eaggle1 · ‎12-18-2018

i dont have home lab set up for This, can you Please check from your Cisco Colleges ?

Dustin Anderson · ‎12-18-2018

So, we didn't do this exact thing, but we did try EAP Chaining to verify the system was domian joined, and the user was authenticated.We ran into issues with the NAM module and ended up scrapping it due to the issues.

hslai · ‎12-21-2018

Please give a good example how you would like ISE authorization rule to match on the SAN value of a machine certificate to differentiate two different types of certificates.

azhar_eaggle1 · ‎01-08-2019

we have 2 different type of Cert based on SAN Valve.

1- Prod.xyz.com

2-Test.XYZ.com

and one AD domain group. so we want that if end user has 'Prod.xyz.com' cert and valid ad cerdential, it should have Access to Prod envirement only.

and if end user has 'Test.xyz.com' cert and valid ad cerdential, it should have Access to Test envirement only.

Jason Kunst · ‎01-10-2019

From what i can see the only way to do that would be EAP chaining, other wise perhaps rely on supplicant to do machine cert plus sending to portal for CWA chaining? @hslai any other ideas?

hslai · ‎01-10-2019

I am not in the community support duty this week so I am not monitoring the forum.

Assuming you meant the Windows computers have a DNS entry in the certificate SAN field, such as

corp1.prod.demo.local or guest2.test.demo.local

And, the users authenticate via password.

Below is a sample policy set and results.