03-28-2016 05:57 PM
Hi Expert,
My customer is trying to ISE to deploy BYOD solution, but currently they are facing issue for certificate authentication.
For the normal PC access, they are using the Microsoft CA to issue the certificate. So for that certificate, the Subject Alternative Name is the email address of the user. However, for the BYOD users (mobile device user), they are using the ISE CA. So in this case for ISA CA, the Subject Alternative Name is the MAC address.
During the deployment, only the PC can get access to network via certificate authentication. But for mobile user (BYOD user), they can not pass the certificate authentication as ISE log shows the username is not found in certificate attributes.
So I was thinking to us certifcate authentication profile to change the certificate arribute from SAN to Common Name, and let the BYOD user using certificate authentication profile for certificate authentication. But it turns out the same issue.
Can you please advice on it?
Thank you.
Gaspard
03-28-2016 06:08 PM
The certificate authentication profiles in ISE 1.3+ have an new option
( ) Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)
(Quick Tip) [All subject names and alternative names in a certificate will be tried when looking up a user. The Active Directory Implicit UPN (User-Principal-Name) will be used as the user name for logs. Only available if Active Directory (AD) is selected as the Identity store.]
Please try it and see if it works for your use case.
03-28-2016 06:30 PM
Hi Hslai,
So if I click this option, when I configure the authentication policy, for the identity source part in authentication policy, should I choose AD or certificate authentication profile I created?
Best Regards,
Gaspard Liu (刘洪曦) .:|:.:|:.
CCIE Wireless
Travel Plan:
03-29-2016 12:10 AM
Hi Hslai,
Actually, I'm using ISE internal CA, is your way still workable?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide