ISE: Authorize on both ComminName and AlternativeName

Philip Vilhelmsson · ‎03-26-2015

Hi,

Today we are using ISE with authorization policys based on what the value in CommonName is in the device certificate.

So if CN contains "computer" ISE will put that device in VLAN X.

Now we are going to use Microsoft Intune as MDM. But Intune is limited and there isn't an option to specify what the CN should contain. We can, to some extend, decide is what should be in the Subject Alternative Name.

Can I in ISE have some policys based on CN and others based on SAN?

Regards,

Philip

jan.nielsen · ‎03-26-2015

Sure, you can use whaever attributes from the cert that ise supports in your authz policies. However like any other rule in your policy, you need to make sure the order of the rules fits your environment, and/or the conditions you are testing don't overlap. ISE stops looking through the policy on first match.

nspasov · ‎03-26-2015

Hi Philip, yes ISE can do this. You will have to create different "Certificate Authentication Profiles." One can be set to use: "Subject - Common Name" while the other one on "Subject - SAN DNS/e-mail/other"

Then you will use the different Certificate Authentication Profiles for different rules/Policy Sets in your Policy rules.

I hope this helps!

Thank you for rating helpful posts!