Solved: Re: ISE in Azure question

smaseman · ‎02-28-2018

Hi Team,

I have one specific ISE question from my customer where I don’t find any answer. Would be great if you could help me on this. Thanks in advance:

We currently have the task to allow Azure AD Joined Clients into our WLAN. These do not receive a certificate from our internal CA, but from Azure.

However, the Azure certificate is generally valid for all Microsoft customers. There is a field which is customer specific and we would like to check this.

It appears in the certificate with an OID e. g. 1.2.5. xxxxxxxxxxxxxx and has a value that corresponds to our Azure instance.

Is it possible to read out a random OID? I couldn't find anything in the predefined conditions, with these you can only read standard fields.

Thanks in advance for your help,

Simon

Craig Hyps · ‎03-01-2018

There has been some testing with Azure but as Hsing noted, solution is not fully vetted yet.

If saying that you do have auth working with EAPT-TLS, but unable to make policy decision based on cert attributes, then the answer provided on internal mailer is same. ISE can match conditions based on the following certificate dictionary:

These can be used to match on specific issuer, organization, user, etc.

View solution in original post

hslai · ‎02-28-2018

This is not currently supported. Please discuss it with our PM team.

If possible, please provide more details or documentation links on how Azure certificates utilizing such random OID.

Craig Hyps · ‎03-01-2018

There has been some testing with Azure but as Hsing noted, solution is not fully vetted yet.

If saying that you do have auth working with EAPT-TLS, but unable to make policy decision based on cert attributes, then the answer provided on internal mailer is same. ISE can match conditions based on the following certificate dictionary:

These can be used to match on specific issuer, organization, user, etc.