Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
100
Views
0
Helpful
2
Replies

Cisco ISE 8021x auth delay for macOS devices managed by Jamf Cloud.

HamFisted
Level 1
Level 1

‎11-12-2025 02:21 AM

A quick overview of the scenario: macOS devices are managed by Jamf Cloud. SCEP certificates are deployed from a Microsoft CA via the Jamf proxy. A custom sync workflow creates an AD object for each Jamf-managed device and ISE looks at the cert CN to perform a match to the AD object.

However, when automatic certificate renewal is enabled in Jamf Pro, a UUID is added to the CN of the deployed certificate so this authorization flow now fails. There are several SAN's in the certificate and when "Any Subject or Alternative Name Attributes in the Certificate (for Active Directory Only)" is enabled in the policy authentication is successful but with a significant delay. Is this delay to be expected?

0 Helpful
2 Replies 2

PSM
Level 1
Level 1

‎11-12-2025 03:10 AM

@HamFisted Did you try using Certificate Attribute " Subject Alternative Name" ?

0 Helpful

Ben Weber
Level 1
Level 1

‎11-12-2025 01:16 PM

The delay is caused by the 'Any Subject or Alternate Name Attributes in the Certificate', which forces ISE to parse all SAN attributes to match against AD. The length of delay will depend on the no. of SAN entries and/or the size of the AD forest.

You should be able to limit the no. of SAN entries in Jamf's SCEP configuration.

0 Helpful
Customers Also Viewed These Support Documents