01-11-2018 06:36 AM
Hello,
I am using ISE 2.2 to deliver certificate to Chromebook devices, with the Cisco NSA agent.
When Cisco NSA is requesting the certificate to the ISE, it write the Active Directory UserPrincipalName as Common name in the certificate. Unfortunately UPN contains an @ which is not an allowed caractère (RFC5280).
Is there a way to customize the internal CA behaviour to delivere certificate based on an other indentity field like SAMAccountName?
Thank you in advance for your help.
Ps: Google Chromium team have implemented an internal hack to ignore the issue (chromeOS 63 and 64) but we do not know how long they will keep it...
Solved! Go to Solution.
01-11-2018 11:14 AM
No customization for such at the moment.
This issue is currently tracked by CSCvg97635
01-11-2018 11:14 AM
No customization for such at the moment.
This issue is currently tracked by CSCvg97635
01-17-2018 06:54 AM
Hello,
Thank you for the feedback and to see that the bug is finally readable.
Do you have any idea about when a fix could be expected ?
01-24-2018 01:03 PM
Hello,
There is still no feedback about this issue (even if followed by a public bug) :
- no resolution time estimation.
- nothing from Cisco about the eventual possibilities (in order to anticipate).
To workaround is there a way to block the ISE to read/retrieve some attribute in the Active Directory (like the UPN for example) ?
Thank you in advance for your help
01-25-2018 07:59 AM
Suggest you escalate through the TAC this if its breaking your network as a defect
01-25-2018 11:25 AM
We already have a case open since 24th of November, but we never got the kind of information howon just shared.
01-25-2018 11:28 AM
Its in the defect workaround, also if you’re not getting anywhere you should escalate
Workaround:
In AD, clear the upn attribute value for the user when you create and initiate portal authentication from chromebook. However, this only works if the upn attribute is cleared prior to initial ISE login.
Another potential workaround is to downgrade to ISE 2.1 patch 4+ or upgrade to ISE 2.3. Both versions have related fix which honors whatever user enters in the username field as CN. IOW, if the username entered in the web portal was shortname, ISE will generate certificate with CN=shortname and if user entered UPN format, then the certificate will be generated as CN=UPN.
01-25-2018 12:18 PM
Thank you Jason,
The escalation is in progess but we never received the information you shared.
I will try tomorrow to upgrade to 2.3 my sandbox,
Thanks again for your time.
01-25-2018 08:14 AM
Not a fix but a workaround if running ISE 2.1p4+ and ISE 2.3 there was a fix that honors whatever entered into the username field into the CN value. The fix has not made into 2.2 yet.
The plan is to fix CSCvg97635 but above can be a suitable workaround.
01-25-2018 11:21 AM
If 2.3 is acting as you describ, it is wonderful.
I will tried to upgrade my sandbox to 2.3 tomorrow in order to evaluate the impacts on our configuration.
Thank you for the information, I keep you posted
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide