Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
214
Views
0
Helpful
2
Replies

Cisco ISE authentication via certificate and authorization via Azure

Harutyun Hakobyan
Level 1
Level 1

‎10-29-2025 05:27 AM

Hi All,

I'm configuring Cisco ISE policy sets according to this document:

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-entra-id-and-intune/ta-p/4763635/show-comments/true

In that document when authentication is via certificate, it includes certificate issuer and subject, however in authorization part certificate issuer and subject also are added and additionally Azure groups and MDM.

Wanted to check why certificate issuer and subject are added in authorization rules (all examples), what is difference adding them or not?

Thanks

 

0 Helpful
2 Replies 2

Greg Gibbs
Cisco Employee
Cisco Employee

‎10-29-2025 02:50 PM

The Authorization policies are evaluated by any session that passes Authentication.

In general, I match those values in the Authentication policy to define which CAP/ISS to use. I use the same conditions in my Authorization policies to ensure that the session that hit my expected Authorization policy was also authenticated by the expected Authentication policy (as much as possible).

It is not a requirement, but my personal preference for best practice.

0 Helpful

Harutyun Hakobyan
Level 1
Level 1

‎10-29-2025 11:50 PM

Hi @Greg Gibbs 

Thanks for explanation. 

Without certificate Issuer/Subject in Authorization Policies all our tests were successful.

However if there are some Policy Sets and if each one includes many Authorization Policies, certificate Issuer/Subject change will require all Authorization Policies change, therefore wanted to check what's the difference.

 

0 Helpful
Customers Also Viewed These Support Documents