topic ise cert in Network Access Control

ise cert

edondurguti — Mon, 11 Mar 2019 02:21:29 GMT

When I generate a cert and use THAWT tiral version to try out the cert, the request as I copy - paste it says:

The CSR must include an Organization Name.

I am using ISE 1.1.1

https://ssl-certificate-center.thawte.com/process/retail/trial_product_selector;jsessionid=05DB2EB1E2E8FD67154B46999D600182?uid=f7293ccbbdb28c74c6a817943e96b3bd&locale=THAWTE_US

ise cert

Tarik Admani — Mon, 30 Jul 2012 20:30:19 GMT

Hi,

Please use this guide to generate the csr, i could not view the link that you posted above. Do you have a screenshot of the error, also a screenshot of the csr details?

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

Thanks,

Tarik Admani
*Please rate helpful posts*

ise cert

edondurguti — Mon, 30 Jul 2012 20:39:36 GMT

I was actually reading it before you posted, i am thankful for your help and I apologize for my ignorance of not reading it before I asked ( that's not me at all lol)

yes I have generated a self signing request and they emailed me two files:

Thawte Test CA Root certificate:

Thawte Trial Secure Server Intermediate CA:

they emailed these two files, actually it's a separate text.

Re: ise cert

edondurguti — Mon, 30 Jul 2012 20:40:44 GMT

I am actually trying to set it up with trial cert.

google: thawte trial ssl cert

they offer 21 day trial but I am going to digg a bit more to see whats goin on, can't seem to make it work.

if you have time it'd be nice if you could install it and post the solution.

If i figure it out i'll post the solution.

thanks alot

ise cert

Tarik Admani — Mon, 30 Jul 2012 21:08:50 GMT

Not a problem,

what you will do is save the files according. One file you can save as certificate.cer, and the other root certificate as root.cer

You will upload the root certificate first in the CA store and then upload the certificate.cer in the local certificate store. Let me know if you need help with that.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: ise cert

edondurguti — Mon, 30 Jul 2012 21:26:16 GMT

Thank you for your help once again, I think i will have to digg in.

Anyway as I was readying the documentation for CISCO ISE on page 382 of document: ise_ug1.1.1.pdf

The bolded word down there should be Certificate Store maybe?

Not sure if it's a typo.

" Adding a Certificate Authority Certificate

Note Before you add a certificate authority certificate, ensure that the certificate authority certificate resides

on the file system that is running the client browser.

Prerequisite:

Every ISE administrator account is assigned one or more administrative roles. To perform the operations

described in the following procedure, you must have the Super Admin or System Admin role assigned.

See Cisco ISE Admin Group Roles and Responsibilities for more information on the various

administrative roles and the privileges associated with each of them.

To add a certificate authority certificate, complete the following steps:

Step 1 Choose Administration > System > Certificates.

Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

The Certificate Authority Certificates page appears.

Step 3 Click Add.

The Import a new Trusted CA (Certificate Authority) Certificate page appears as shown in Figure 13-10 """

ise cert

Tarik Admani — Mon, 30 Jul 2012 21:32:08 GMT

That is correct for the root certificate, my wording wasnt exact but that is correct.

For the local certificate you can use these steps - http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_cert.html#wp1103485

Tarik Admani
*Please rate helpful posts*

Re: ise cert

ITA7DMIN99 — Mon, 06 Jan 2014 05:07:53 GMT

Hi all,

I generate a cert and use THAWT tiral version,I received the certificate as trial SSL certificate ,Trial Secure Server Intermediate CA and Test CA Root certificate which is totally three my problem now I am very new in certificate concept and I don’t know how to move forward:

shall I do construct it as following details :

{Trial SSL certificate, followed by trial intermediate and followed by trial test root} and then save it in one file with .PEM extension

Or I have save each file individually with .pem extension.

Finally how I import this certificate to my ISE 1.2, which one should be to import to local certificates and which one to Certificate Store ?

Thanks

Re:ise cert

Tarik Admani — Mon, 06 Jan 2014 06:37:32 GMT

Method one is correct. You will need to bind and not import if you generated the certificate signing request on the ise server.

Sent from Cisco Technical Support Android App

Re: ise cert

ITA7DMIN99 — Mon, 06 Jan 2014 06:55:19 GMT

thanks Tarik,

should i do any things in Certificate Store?

ise cert

ITA7DMIN99 — Mon, 06 Jan 2014 15:26:18 GMT

I export that local certificate of the ISE and save it in the trusted store of the Client, but still receive the error “12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate”.

i dont want to uncheck the validate server certificate option from the client network profile.

please advise ?

ise cert

Tarik Admani — Mon, 06 Jan 2014 16:01:00 GMT

Keep in mind regardless of a public or private certificate most clients will always prompt the user to accept the radius server warning on all initial 802.1x connections. The only device I have seen not present this prompt is the android.

The supplicant will always warn the end user that the identity for network authentication will be passed on to a radius server, the only way to hide this message by choosing to keep the validate server certificate option would be to use a group policy from GPMC on your microsoft environment where the identity is automatically set.

Tarik Admani
*Please rate helpful posts*

ise cert

ITA7DMIN99 — Tue, 07 Jan 2014 06:02:16 GMT

Still error shown “12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate”. Maybe i need to delete the a default, self-signed certificate after bind the new one?