03-26-2015 09:05 AM - edited 03-10-2019 10:35 PM
Hi,
Today we are using ISE with authorization policys based on what the value in CommonName is in the device certificate.
So if CN contains "computer" ISE will put that device in VLAN X.
Now we are going to use Microsoft Intune as MDM. But Intune is limited and there isn't an option to specify what the CN should contain. We can, to some extend, decide is what should be in the Subject Alternative Name.
Can I in ISE have some policys based on CN and others based on SAN?
Regards,
Philip
03-26-2015 12:32 PM
Sure, you can use whaever attributes from the cert that ise supports in your authz policies. However like any other rule in your policy, you need to make sure the order of the rules fits your environment, and/or the conditions you are testing don't overlap. ISE stops looking through the policy on first match.
03-26-2015 03:04 PM
Hi Philip, yes ISE can do this. You will have to create different "Certificate Authentication Profiles." One can be set to use: "Subject - Common Name" while the other one on "Subject - SAN DNS/e-mail/other"
Then you will use the different Certificate Authentication Profiles for different rules/Policy Sets in your Policy rules.
I hope this helps!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide