Hi everyone,

short version: anyone knows which value ISE searches in AD when, through a Certificate Authentication Profile, ISE verifies the values "Subject - Common Name" or "Subject Alternative Name" found in the certificate (Certificate Authentication Profile->Use Identity From->Certificate Attribute->"Subject - Common Name")?

long version: I'm trying to integrate macOS machines in our company. This obviously requires an MDM (Jamf) and many profiles pushed to the devices.
I'm trying to create a full enrollment process via Internet but, as our Microsoft AD is not externally exposed, there's no way to bind the mac to our AD except connect it to the intranet.
So I've tried to just manually create the machine on the AD using the exact name it will have after receiving all the profiles/policies from the MDM, clearly putting it in the correct OU dedicated to the Macs.
The Wi-Fi network I’m trying to connect the Mac to has an EAP-TLS based auth and, during the auth process (specific Certificate Authentication Profile), ISE tries to check a specific value found in the machine/Mac certificate with the AD ("Subject - Common Name" or "Subject Alternative Name).
Now, the certificate used in the certificate/machine authentication to the Wi-Fi network is correctly created by the CA and is delivered to the machine via MDM; also the Wi-Fi connection profile is pushed to the Mac.
But when the Mac tries to connect to the Wi-Fi Network I get a "22056 Subject not found in the applicable Identity Store....", so there's probably something in the manual creation of the machine on the AD that is not working fine.
Otherwise, if I connect the device to the intranet via cable and join it to the AD, I get a green light on the ISE Live Logs and the Mac connects to the Wi-Fi network without an error.

Any idea about what parameter I need to write on the AD during the manual creation of the Mac to correctly "simulate" a join suitable for the ISE Auth?

Many thanks!!
BR
Luca