Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
1
Helpful
1
Replies

client cert san field requirements for successful authentication

Go to solution
mpeeters
Cisco Employee
Cisco Employee

‎04-20-2017 02:51 AM

Would you provide insight on if and what ise uses  for validating the client cert ? Is the contents of the sans fields checked by default ?

Specific questions below…

The client certificate generated from ISE certificate provisioning portal has mac address in Subject Alternative Name.

Questions: 1) Does ISE verify mac address from certificate during authentication process?

2) Is it obligatory? When I use externally generated certificate without mac address in SAN will authentication fail?

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-20-2017 07:33 AM

It's done during authorization. ISE has a built-in rule and condition (MAC_in_SAN) for it. As shown, it's disabled by default but lots of deployments like to use it as an additional check.

Screen Shot 2017-04-20 at 7.30.59 AM.png

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-20-2017 07:33 AM

It's done during authorization. ISE has a built-in rule and condition (MAC_in_SAN) for it. As shown, it's disabled by default but lots of deployments like to use it as an additional check.

Screen Shot 2017-04-20 at 7.30.59 AM.png

0 Helpful
Customers Also Viewed These Support Documents