cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
855
Views
1
Helpful
1
Replies

client cert san field requirements for successful authentication

mpeeters
Cisco Employee
Cisco Employee

Would you provide insight on if and what ise uses  for validating the client cert ? Is the contents of the sans fields checked by default ?

Specific questions below…

The client certificate generated from ISE certificate provisioning portal has mac address in Subject Alternative Name.

Questions: 1) Does ISE verify mac address from certificate during authentication process?

2) Is it obligatory? When I use externally generated certificate without mac address in SAN will authentication fail?

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

It's done during authorization. ISE has a built-in rule and condition (MAC_in_SAN) for it. As shown, it's disabled by default but lots of deployments like to use it as an additional check.

Screen Shot 2017-04-20 at 7.30.59 AM.png

View solution in original post

1 Reply 1

hslai
Cisco Employee
Cisco Employee

It's done during authorization. ISE has a built-in rule and condition (MAC_in_SAN) for it. As shown, it's disabled by default but lots of deployments like to use it as an additional check.

Screen Shot 2017-04-20 at 7.30.59 AM.png