Showing results for 
Search instead for 
Did you mean: 

ISE 2.2 Internal CA Customization



I am using ISE 2.2 to deliver certificate to Chromebook devices, with the Cisco NSA agent.

When Cisco NSA is requesting the certificate to the ISE, it write the Active Directory UserPrincipalName as Common name in the certificate. Unfortunately UPN contains an @ which is not an allowed caractère (RFC5280).

Is there a way to customize the internal CA behaviour to delivere certificate based on an other indentity field like SAMAccountName?

Thank you in advance for your help.

Ps: Google Chromium team have implemented an internal hack to ignore the issue (chromeOS 63 and 64) but we do not know how long they will keep it...

1 Accepted Solution

Accepted Solutions

Cisco Employee
Cisco Employee

No customization for such at the moment.

This issue is currently tracked by CSCvg97635

View solution in original post

9 Replies 9

Cisco Employee
Cisco Employee

No customization for such at the moment.

This issue is currently tracked by CSCvg97635


Thank you for the feedback and to see that the bug is finally readable.

Do you have any idea about when a fix could be expected ?


There is still no feedback about this issue (even if followed by a public bug) :

- no resolution time estimation.

- nothing from Cisco about the eventual possibilities (in order to anticipate).

To workaround is there a way to block the ISE to read/retrieve some attribute in the Active Directory (like the UPN for example) ?

Thank you in advance for your help

Suggest you escalate through the TAC this if its breaking your network as a defect

We already have a case open since 24th of November, but we never got the kind of information howon just shared.

Its in the defect workaround, also if you’re not getting anywhere you should escalate


In AD, clear the upn attribute value for the user when you create and initiate portal authentication from chromebook. However, this only works if the upn attribute is cleared prior to initial ISE login.

Another potential workaround is to downgrade to ISE 2.1 patch 4+ or upgrade to ISE 2.3. Both versions have related fix which honors whatever user enters in the username field as CN. IOW, if the username entered in the web portal was shortname, ISE will generate certificate with CN=shortname and if user entered UPN format, then the certificate will be generated as CN=UPN.

Thank you Jason,

The escalation is in progess but we never received the information you shared.

I will try tomorrow to upgrade to 2.3 my sandbox,

Thanks again for your time.

Cisco Employee
Cisco Employee

Not a fix but a workaround if running ISE 2.1p4+ and ISE 2.3 there was a fix that honors whatever entered into the username field into the CN value. The fix has not made into 2.2 yet.

The plan is to fix CSCvg97635 but above can be a suitable workaround.

If 2.3 is acting as you describ, it is wonderful.

I will tried to upgrade my sandbox to 2.3 tomorrow in order to evaluate the impacts on our configuration.

Thank you for the information, I keep you posted

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers