cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

481
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

ISE 2.3 - Subject Alt Name or Calling-Station-ID case sensitive?

Hi team,

Has there been a change between ISE 2.0 and 2.3 in the case sensitivity of the Certificate:Subject Alternative Name and/or Radius:Calling-Station-ID attributes or the operators (EQUALS, MATCHES, CONTAINS)?

After upgrading from ISE 2.0 p4 to 2.3, the AuthZ policies based upon 'Certificate:Subject Alternative Name EQUALS Radius:Calling-Station-ID' are failing to hit.

I've tried using the EQUALS and MATCHES operators, but both fail. In the log details, these attributes are different cases.

Subject Alternative Name     00-DB-DF-58-64-A2

Calling Station Id      00-db-df-58-64-a2

If I change the Calling-Station-ID attribute to the string for the SAN (00-DB-DF-58-64-A2), the rule hits.

If I change the operator to CONTAINS, it also works.

Is this expected/known behaviour with ISE 2.3?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Try creating a new authorization policy rule and see if that works.

CSCvf47170 is seen at a couple beta customers' setups.

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Try creating a new authorization policy rule and see if that works.

CSCvf47170 is seen at a couple beta customers' setups.

View solution in original post

Highlighted

Hi HS,

It does work if I create a new AuthZ rule, but does not if I duplicate the existing rule.

Is this likely to be part of the same bug listed above, or should I open a TAC case to have a new bug opened?

This issue will complicate any ISE upgrade if we have to recreate the rules.

Highlighted

I will check with DE and see whether he needs debug logs from you.