Re: Certificate Authentication Profile Issue

gasliu · ‎03-28-2016

Hi Expert,

My customer is trying to ISE to deploy BYOD solution, but currently they are facing issue for certificate authentication.

For the normal PC access, they are using the Microsoft CA to issue the certificate. So for that certificate, the Subject Alternative Name is the email address of the user. However, for the BYOD users (mobile device user), they are using the ISE CA. So in this case for ISA CA, the Subject Alternative Name is the MAC address.

During the deployment, only the PC can get access to network via certificate authentication. But for mobile user (BYOD user), they can not pass the certificate authentication as ISE log shows the username is not found in certificate attributes.

So I was thinking to us certifcate authentication profile to change the certificate arribute from SAN to Common Name, and let the BYOD user using certificate authentication profile for certificate authentication. But it turns out the same issue.

Can you please advice on it?

Thank you.

Gaspard

hslai · ‎03-28-2016

The certificate authentication profiles in ISE 1.3+ have an new option

( ) Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)

(Quick Tip) [All subject names and alternative names in a certificate will be tried when looking up a user. The Active Directory Implicit UPN (User-Principal-Name) will be used as the user name for logs. Only available if Active Directory (AD) is selected as the Identity store.]

Please try it and see if it works for your use case.

gasliu · ‎03-28-2016

Hi Hslai,

So if I click this option, when I configure the authentication policy, for the identity source part in authentication policy, should I choose AD or certificate authentication profile I created?

Best Regards,

Gaspard Liu (刘洪曦) .:|:.:|:.

CCIE Wireless

Travel Plan:

gasliu · ‎03-29-2016

Hi Hslai,

Actually, I'm using ISE internal CA, is your way still workable?