cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

298
Views
1
Helpful
1
Replies
Highlighted
Cisco Employee

client cert san field requirements for successful authentication

Would you provide insight on if and what ise uses  for validating the client cert ? Is the contents of the sans fields checked by default ?

Specific questions below…

The client certificate generated from ISE certificate provisioning portal has mac address in Subject Alternative Name.

Questions: 1) Does ISE verify mac address from certificate during authentication process?

2) Is it obligatory? When I use externally generated certificate without mac address in SAN will authentication fail?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

It's done during authorization. ISE has a built-in rule and condition (MAC_in_SAN) for it. As shown, it's disabled by default but lots of deployments like to use it as an additional check.

Screen Shot 2017-04-20 at 7.30.59 AM.png

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

It's done during authorization. ISE has a built-in rule and condition (MAC_in_SAN) for it. As shown, it's disabled by default but lots of deployments like to use it as an additional check.

Screen Shot 2017-04-20 at 7.30.59 AM.png

View solution in original post