Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1239
Views
10
Helpful
3
Replies

ISE Authorization Profile Using Machine Certificate

Go to solution
pagosojayson
Level 1
Level 1

‎09-30-2019 07:20 AM

Hi,

 

Is there a way in ISE that I can create an authorisation policy using Machine certificate?  I have been trying ways to differentiate a machine cert with a user cert but as of now I have not seen a clear document on how to do so.

 

Thanks in advance

 

Jayson

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-30-2019 07:28 AM

Are your machine and user certificates issued from the same CA? Do you control the CA and/or templates? In Authz conditions you do have the ability to configure them to match CERTIFICATE: ISSUER: Common Name; Org Unit; and/or a few other options. If you have this ability you could specify a unique issuer field to differentiate between the two and then use that criteria in your Authz condition. Good luck & HTH!

View solution in original post

Go to solution
paul
Level 10
Level 10
In response to Mike.Cifelli

‎09-30-2019 08:05 AM

Two thing here

 

First you can just do an AD check in the authorization phase to say:

 

  1. EAP-TLS and member of Domain Computer
  2. EAP-TLS and member of Domain User

Second if you didn't want to do an AD check you could look at the SAN field in the certificate. The SAN field, which should be the correct location for user identity, will be different for computers and users.  The computers will typically have DNS name in the SAN field while users will have Principal Name or Email.  So you could have something like:

 

  1. EAP-TLS and certificate SAN field DNS contains mycompany.com
  2. EAP-TLS and certificate SAN Email Address contains mycompany.com

The first should be a computer and the second should be a user.

 

 

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-30-2019 07:28 AM

Are your machine and user certificates issued from the same CA? Do you control the CA and/or templates? In Authz conditions you do have the ability to configure them to match CERTIFICATE: ISSUER: Common Name; Org Unit; and/or a few other options. If you have this ability you could specify a unique issuer field to differentiate between the two and then use that criteria in your Authz condition. Good luck & HTH!

Go to solution
paul
Level 10
Level 10
In response to Mike.Cifelli

‎09-30-2019 08:05 AM

Two thing here

 

First you can just do an AD check in the authorization phase to say:

 

  1. EAP-TLS and member of Domain Computer
  2. EAP-TLS and member of Domain User

Second if you didn't want to do an AD check you could look at the SAN field in the certificate. The SAN field, which should be the correct location for user identity, will be different for computers and users.  The computers will typically have DNS name in the SAN field while users will have Principal Name or Email.  So you could have something like:

 

  1. EAP-TLS and certificate SAN field DNS contains mycompany.com
  2. EAP-TLS and certificate SAN Email Address contains mycompany.com

The first should be a computer and the second should be a user.

 

 

Go to solution
pagosojayson
Level 1
Level 1
In response to Mike.Cifelli

‎10-01-2019 06:57 AM

Hi Mike,

 

Thanks for the reply,  I was able to do this and nested a few fields in the certificate which helped us get to where we think we need to be.  

 

Regards,

Jayson

0 Helpful
Customers Also Viewed These Support Documents