Solved: EAP-TLS Computer Authetication Failing

MaErre21325 · ‎06-23-2023

Hi,

I have configured ise to accept both machine and user certificate authentications and mab device management.
The user and mab certificate authentications are working properly, so both the ISE, switch and supplicant side configuration of the pc are ok.
Authentications with computer certificate on the other hand do NOT work, my client generated and manages the certificates from Intune, and as CN it passes me the GUID of intune and as SAN the machine name, unfortunately though I get denies because I think the ise can't read/find in AD the machine name and so the process fails.
I have already done the integration of Intune as external MDM but I don't understand how to unlock this situation, does anyone have any ideas?
I'm mainly investigating the supplicant and the certificate structure, but I don't understand what it could be and how I could fix the configuration (for some reason client doesn't want to pass the device id as CN but wants the GUID)

Thanks
Regards

Aref Alsouqi · ‎06-23-2023

If the machine name is populated in the SAN then I think you can change the certificate attribute in the certificate authentication policy (CAP) in ISE to lookup for the SAN rather than the CN value. To change that click on the drop down menu and select Subject Alternative Name - DNS or Other Name.

View solution in original post

Aref Alsouqi · ‎06-23-2023

If the machine name is populated in the SAN then I think you can change the certificate attribute in the certificate authentication policy (CAP) in ISE to lookup for the SAN rather than the CN value. To change that click on the drop down menu and select Subject Alternative Name - DNS or Other Name.