ISE and User Certificates

David Fitzgerald · ‎02-24-2017

We are using EAP-TLS as part of our AuthZ Rule set and I'm curious if there is a best practice method in dealing with a user certificate. I have a mixture of PCs and MACs. With my PCs, we are also using NAM, so EAP Chaining is available. EAP Chaning does not appear to be an option for the MACs.

We started down the path of having a Microsoft track and a non-Microsoft track for AuthZ, but we're also trying to eliminate two sets of rules where possible.

Suppose My domain is fubar.com

I have some rules set up that are set up to check the EAP method and the Certificate contents a la:

NetworkAccess:EapAuthentication EQUALS EAP-TLS AND

CERTIFICATE:Subect Alternative Name CONTAINS fubar.com

I have other rules that are set up that test for the condition:

CERTIFICATE:Subject MATCHES .*(FUBAR).*

Is one way better? Is there a BEST way of examining User Certificate?

nspasov · ‎02-24-2017

Hello David, my answers below:

- EAP-Chaning: You are correct, that solution is only available to Windows based machines where you can use the NAM module of AnyConnect. Apple does not allow for its native supplicant to be replaced with a 3rd party one. As a result, unless Apple implements EAP-TEAP, eap-chaining is a no-go. There is an actual RFC (7170) so hopefully manufacturers out there like Apple and Microsoft would implement it in future release of their software.

- IMO (And I am by no means an expert with certificates/pki) the first option is more secure since it is more specific (it must contain fubar.com). Using the wildcard string would match fubar.com and not.fubar.com :)

I hope this helps!

Thank you for rating helpful posts!