Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
0
Helpful
3
Replies

Certificate matching in AC NAM

Madura Malwatte
Level 4
Level 4

‎03-04-2019 01:55 AM

I have AC 4.7 and trying to get AC NAM module to present the right eap-tls certificate for ISE server. There are a few networks in AC for which the its doing machine authentication, and there are two machine certificates each issued by a different CA for a different ISE deployment (we are migrating from an old ISE to a new ISE environment so this is the transition phase). The issue is when a network (wired or wireless) in AC for the the new ISE is selected, ISE complains about wrong cert. The debugs indicate that AC is using the wrong machine cert.

 

debugs from AC shows two potential certs available but its selecting the wrong one (the correct one should be ending in c7ff):

 

%NAM-7-DEBUG_MSG: %[tid=1808]: Certificate 496f28cd2fa3daa29a6273573761b2858f4fa935 rank 0x7d

%NAM-7-DEBUG_MSG: %[tid=1808]: Certificate 1f3316e12d99f2ac364b6e53ce55892daeebc7ff rank 0x7d

%NAM-7-DEBUG_MSG: %[tid=1808]: Auth[CORP-WIFI:machine-auth]: Using machine certificate 496f28cd2fa3daa29a6273573761b2858f4fa935 issued to WIN-MACHINE1234.company.com

 

Is the correct way to force one AC network to select one cert over the other by using the "Use certificate matching rule " option under the Network > credential in NAM editor?

 

Machine cert could be issued by two CA's for a new ISE say CN: NewCompanyCA1 and NewCompanyCA2. 

 

How can I match to use the correct cert for a profile if either cert is issued by either of the CA's? Match statement options available are "Includes" or "Equals". To match either cert could I use:

 

Certificate Field: Issuer.CN

Match: Includes

Value: NewCompany

 

The legacy network only has certs issued by one CA, so then I would have a match entry for:

Certificate Field: Issuer.CN

Match: Includes

Value: OldCompanyCA

 

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-04-2019 07:39 AM

I think you have the logic correct here. As long as the client certs have the basic requirements ( key usage, extended key usage, validity etc) and they match the Issuer CN Includes "NewCompanyCA", NAM should pick up the right cert. Right now, I believe it takes the first cert that matches its basic client cert requirements check. 

 

Also, if I am not mistaken, if your ISE eap cert is issued by NewCompanyCA1 or NewCompanyCA2, then it should also send a cert request field in the SSL handshake. This should automatically pick up the certs issued by same CA for Client auth. 

0 Helpful

Madura Malwatte
Level 4
Level 4
In response to Rahul Govindan

‎03-04-2019 12:12 PM

Thanks for response Rahul. I am doing some testing to confirm with the certificate matching rule. 

 

"This should automatically pick up the certs issued by same CA for Client auth. " actually this is what I thought too, but doesn't look like it is happening. Are you able to confirm if this is the correct behaviour?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Madura Malwatte

‎03-04-2019 01:43 PM

To be honest, I do not know for sure if ISE sends the certificate authorities list inside the certificate request header. The SSL/TLS RFC does not mandate this so the behavior depends on vendor and product. I do know for a fact that the ASA does this with TLS client cert authentication. I might have to test this using a packet capture on ISE during the transaction. 

0 Helpful
Customers Also Viewed These Support Documents