cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
0
Helpful
2
Replies

Using OUID for Authentication

s1nsp4wn
Level 1
Level 1

ISE 2.4 Patch 9

 

Is there a way (conditionally or otherwise) I can get ISE to match on object guid?  We currently use EAP-TLS for wireless authentication, but I want it so not only do users have to have a client certificate provided by us, the guid on that cert must be used as an attribute that ISE will search AD for before allowing the person on the network.  I've searched all the attributes and see plenty of issuer and subject-based attributes, but nothing specific to guid.  The thought process is that usernames and emails can change, but a globally unique id won't ever change.

2 Replies 2

hslai
Cisco Employee
Cisco Employee

Requirements for domain controller certificates from a third-party CA shows to include the domain controller GUID in an other name entry of the subject alternative name. If so, you may condition on CERTIFICATE·Subject Alternative Name - Other Name

So it sounds like I could match on the AD's guid, but what I'm trying to do is validate an eap-tls user based on possession of the client certificate AND somehow lining their guid up with finding them in AD as my external identity source.  Currently it seems like AD is only searchable from an authorization perspective looking at my conditions.