01-12-2022 04:17 AM
Hi all,
We are trying to implement dynamic ACL's from a SAN Field within a certificate on an endpoint device (typically mobile devices).
The process will be as follows - Unregistered device will connect to an unsecure SSID in a build room - At this point, the device will then connect to Azure Intune and download a relevant certificate for the device. From that point on, whilst roaming the rest of the estate, there will be a secure SSID using 802.1x EAP-PEAP to authenticate users to provide access. Now the access will be different for each device, so we are thinking to use a SAN field within the certificate of the device (that it obtains from Intune) to allow ISE to identify which DACL to apply.
The question is, does ISE look into the SAN fields of the certificate and can that information be extracted, and then applied in a way where Cisco ISE can apply a dynamic ACL for that specific device. For information, the Wireless infrastructure is Meraki so it will be applied via a Auth Result/Group Policy being pushed down towards the Meraki AP.
Thanks,
Steve
Solved! Go to Solution.
01-12-2022 07:40 AM
The question is, does ISE look into the SAN fields of the certificate and can that information be extracted, and then applied in a way where Cisco ISE can apply a dynamic ACL for that specific device.
-Yes you have the ability to push policy based on certificate SAN information. For your scenario you would setup your dacl, create an authz profile with dacl assigned within it, then use the authz profile as authz result in your radius policies. The conditions you are looking to utilize look something like this:
You can change CONTAINS to another type if desired. I would recommend testing your scenario, looking into detailed radius live logs and extract the relevant SAN information from there that then can be used as conditions to steer/push policy + dacl. Good luck & HTH!
01-12-2022 07:40 AM
The question is, does ISE look into the SAN fields of the certificate and can that information be extracted, and then applied in a way where Cisco ISE can apply a dynamic ACL for that specific device.
-Yes you have the ability to push policy based on certificate SAN information. For your scenario you would setup your dacl, create an authz profile with dacl assigned within it, then use the authz profile as authz result in your radius policies. The conditions you are looking to utilize look something like this:
You can change CONTAINS to another type if desired. I would recommend testing your scenario, looking into detailed radius live logs and extract the relevant SAN information from there that then can be used as conditions to steer/push policy + dacl. Good luck & HTH!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide