Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
5
Helpful
1
Replies

SAN Field in certificate used to determine DACL through ISE

Go to solution
a365networking
Level 1
Level 1

‎01-12-2022 04:17 AM

Hi all,

 

We are trying to implement dynamic ACL's from a SAN Field within a certificate on an endpoint device (typically mobile devices).

 

The process will be as follows - Unregistered device will connect to an unsecure SSID in a build room - At this point, the device will then connect to Azure Intune and download a relevant certificate for the device. From that point on, whilst roaming the rest of the estate, there will be a secure SSID using 802.1x EAP-PEAP to authenticate users to provide access. Now the access will be different for each device, so we are thinking to use a SAN field within the certificate of the device (that it obtains from Intune) to allow ISE to identify which DACL to apply.

 

The question is, does ISE look into the SAN fields of the certificate and can that information be extracted, and then applied in a way where Cisco ISE can apply a dynamic ACL for that specific device. For information, the Wireless infrastructure is Meraki so it will be applied via a Auth Result/Group Policy being pushed down towards the Meraki AP.

 

Thanks,

 

Steve

1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-12-2022 07:40 AM

The question is, does ISE look into the SAN fields of the certificate and can that information be extracted, and then applied in a way where Cisco ISE can apply a dynamic ACL for that specific device.

-Yes you have the ability to push policy based on certificate SAN information.  For your scenario you would setup your dacl, create an authz profile with dacl assigned within it, then use the authz profile as authz result in your radius policies.  The conditions you are looking to utilize look something like this:

cert_san_condition.PNG

 You can change CONTAINS to another type if desired.  I would recommend testing your scenario, looking into detailed radius live logs and extract the relevant SAN information from there that then can be used as conditions to steer/push policy + dacl.  Good luck & HTH!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-12-2022 07:40 AM

The question is, does ISE look into the SAN fields of the certificate and can that information be extracted, and then applied in a way where Cisco ISE can apply a dynamic ACL for that specific device.

-Yes you have the ability to push policy based on certificate SAN information.  For your scenario you would setup your dacl, create an authz profile with dacl assigned within it, then use the authz profile as authz result in your radius policies.  The conditions you are looking to utilize look something like this:

cert_san_condition.PNG

 You can change CONTAINS to another type if desired.  I would recommend testing your scenario, looking into detailed radius live logs and extract the relevant SAN information from there that then can be used as conditions to steer/push policy + dacl.  Good luck & HTH!

0 Helpful
Customers Also Viewed These Support Documents