09-01-2014 11:26 PM - edited 03-10-2019 09:59 PM
Hi all,
My organization wants to authenticate medical devices with certificate.
What I'm trying to do is on the certificate the name of the user will be his mac address,
And the ise policy will be if the user name equal to mac address than he authenticate.
Until now I didn’t succeed.
Is it possible?
Lee.
09-02-2014 07:16 PM
It sounds like you are trying to do two different things.
The certificate can be done through 802.1x using peap I dont know if your devices can handle dot1x so if not they can use MAB. Far less secure but if its a low level device like a printer that has limited input capability then you are stuck with MAB.
What you could do with MAB is use the OUI and some other identifying information (if available) like device host names (This can be derived from DHCP i believe) and possibly av pairs (RADIUS) to help profile the devices. These can be put into a custom endpoint profile that is given a specific authorization rule.
The whole point is to try to isolate certain types of equipment so that only they get the custom authz rule
Does this make sense? Im shooting a little blind here without more info.
09-03-2014 12:04 AM
If I am understanding this correctly you are trying to perform EAP-TLS authentication and you want the x509 principle username to be the MAC address of the authenticating device? Is that correct?
09-07-2014 02:40 AM
Thanks for your reply,
This exactly what I'm trying to figure.
On the email field in the certificate I putted the mac-address of the device.
And on my ISE I checked this field as the user name x509.
I attached an image from my ISE.
You can see that the user name and the mac address are the same.
The problem is that I can't authenticate them as I want:
User name=mac address.
Lee.
09-07-2014 03:33 PM
It looks like your Authorization Profile isn't formed to properly catch the "username" part. Can you share your Policy section with the AuthZ profile?
09-09-2014 05:18 AM
This What I tried so far ,
The Authentication is work fine but the Authorization failed.
If any and radius:user name equals radius:calling stations-ID then permitAccess,
or this one:
If any and radius:calling stations-ID equals certificate:Subject-email(this filed is configure to mac-address) then permitAccess,
thanks,
Lee.
09-09-2014 08:56 AM
I'm in an ISE class this week and it was suggested to me that you should configure and use a Certificate Authentication Profile (found under Administration, Identity Management, External Identity Sources). Then use that profile in your policy.
You may need to use a field other than email address as the ISE PSN may do some validation checking to look for a well-formed email address (i.e with an "@" sign in the attribute).
09-10-2014 05:14 AM
Hi Marvin,
I already did it.
This Why I can see the username as my Mac address from the specified field of the email.
If you see the first picture that I upload, you can see that the ISE recognize the user id as the Mac-address.
this is not the problem.
what i'm trying to do is to "lock" device to Certificate because i don't want That someone will install that certificate on another device.
If anyone have any idea how to do this it I'l be grateful.
Thanks,
Lee.
09-10-2014 04:01 PM
You first asked about how to avoid failing authorization. Now you mention wanting to lock the use of that certificate to a specific device. Those are two separate issues.
For the first, please share the results of your authorization from the Operations page.
For the second, you should be able to make a compound condition using both the certificate and information from a profiling source that will include the actual MAC address. Several sources can give you this - DHCP profiling, RADIUS accounting, IOS sensor etc. Which to use depends on your environment's capabilities and design.
09-09-2014 01:49 PM
The authentication process is definitely failing (based on the screenshot that you posted). Before I can provide more help I will need screen shots showing all details around the Policy Set that you are using.
09-09-2014 04:12 AM
I agree with Marvin, we need some more info. If possible please paste some screenshots of your authorization policy and details of the conditions/results.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide