ISE Basic Certificate Checking

cbradt — Mon, 11 Mar 2019 07:56:02 GMT

In reference to setting up a Certificate Authentication Profile ...

I see that "basic certificate checking" does not require an identity source. I'm wanting to ensure I know what "basic certificate checking" means. My assumption is the all that is checked is:

1) Was the cert issued by a Trusted CA?

2) Has the cert expired? Has a valid/current date

3) Has the cert been revoked?

My take on this is if I have machine certs issued by some Root CA (not my AD) then I could use the basic checking to verify that the cert was issued by the appropriate CA (I've installed the Trusted Root Cert on my ISE) and was therefore a trusted device for EAP-FAST/EAP-TLS machine authentication purposes.

Is this correct? Thanks

I believe this is correct,

Rahul Govindan — Sun, 13 Aug 2017 11:45:13 GMT

I believe this is correct, ISE just does checks the certificates for the steps you have mentioned. I think the only other "basic check" it does is the client certificate KU and EKU settings, basically to check if the certificate presented is meant for that purpose or not. "Client authentication" is a required setting for EKU (if explicitly set) for the client certificate presented to ISE.

topic I believe this is correct, in Network Access Control

ISE Basic Certificate Checking

I believe this is correct,