cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
10
Helpful
3
Replies

ISE Authorization Profile Using Machine Certificate

pagosojayson
Level 1
Level 1

Hi,

 

Is there a way in ISE that I can create an authorisation policy using Machine certificate?  I have been trying ways to differentiate a machine cert with a user cert but as of now I have not seen a clear document on how to do so.

 

Thanks in advance

 

Jayson

2 Accepted Solutions

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
Are your machine and user certificates issued from the same CA? Do you control the CA and/or templates? In Authz conditions you do have the ability to configure them to match CERTIFICATE: ISSUER: Common Name; Org Unit; and/or a few other options. If you have this ability you could specify a unique issuer field to differentiate between the two and then use that criteria in your Authz condition. Good luck & HTH!

View solution in original post

Two thing here

 

First you can just do an AD check in the authorization phase to say:

 

  1. EAP-TLS and member of Domain Computer
  2. EAP-TLS and member of Domain User

Second if you didn't want to do an AD check you could look at the SAN field in the certificate. The SAN field, which should be the correct location for user identity, will be different for computers and users.  The computers will typically have DNS name in the SAN field while users will have Principal Name or Email.  So you could have something like:

 

  1. EAP-TLS and certificate SAN field DNS contains mycompany.com
  2. EAP-TLS and certificate SAN Email Address contains mycompany.com

The first should be a computer and the second should be a user.

 

 

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni
Are your machine and user certificates issued from the same CA? Do you control the CA and/or templates? In Authz conditions you do have the ability to configure them to match CERTIFICATE: ISSUER: Common Name; Org Unit; and/or a few other options. If you have this ability you could specify a unique issuer field to differentiate between the two and then use that criteria in your Authz condition. Good luck & HTH!

Two thing here

 

First you can just do an AD check in the authorization phase to say:

 

  1. EAP-TLS and member of Domain Computer
  2. EAP-TLS and member of Domain User

Second if you didn't want to do an AD check you could look at the SAN field in the certificate. The SAN field, which should be the correct location for user identity, will be different for computers and users.  The computers will typically have DNS name in the SAN field while users will have Principal Name or Email.  So you could have something like:

 

  1. EAP-TLS and certificate SAN field DNS contains mycompany.com
  2. EAP-TLS and certificate SAN Email Address contains mycompany.com

The first should be a computer and the second should be a user.

 

 

Hi Mike,

 

Thanks for the reply,  I was able to do this and nested a few fields in the certificate which helped us get to where we think we need to be.  

 

Regards,

Jayson