https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740665#M488605 <P>Are you asking for the cert that ISE presents to the supplicant, or do you mean the client (supplicant) cert?</P> <P>&nbsp;</P> <P>Here are some highlights for the ISE cert (purpose = EAP )&nbsp;</P> <P>Subject Common Name: can be anything but don't put a wildcard in here (e.g.&nbsp; *.mycompany.com) - it breaks Windows supplicants&nbsp;</P> <P>EKU (Extended Key Usage):&nbsp;Server Authentication</P> <P>Encryption: RSA 2048 bits (don't need more than this) - avoid ECC for now - not many clients support it</P> <P>Signature: SHA256</P> <P>&nbsp;</P> <P>Of course the client has to trust the cert that ISE presents during the EAP negotiation.&nbsp; How you achieve this is another discussion.&nbsp; Either purchase a public CA issued cert for ISE, or issue the ISE cert via internal PKI.&nbsp; But then then you need to push that PKI cert chain to all the clients.</P> <P>&nbsp;</P> <P>This is pretty well documented in the ISE Admin Guide</P> Wed, 07 Nov 2018 02:12:43 GMT Arne Bier 2018-11-07T02:12:43Z https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740286#M488601 <P>hi,</P> <P>I want to use eap-tls for wifi connection with ise.</P> <P>what is the cert temple that I need to use?&nbsp;</P> <P>&nbsp;</P> Tue, 06 Nov 2018 16:37:52 GMT https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740286#M488601 vereduk 2018-11-06T16:37:52Z https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740665#M488605 <P>Are you asking for the cert that ISE presents to the supplicant, or do you mean the client (supplicant) cert?</P> <P>&nbsp;</P> <P>Here are some highlights for the ISE cert (purpose = EAP )&nbsp;</P> <P>Subject Common Name: can be anything but don't put a wildcard in here (e.g.&nbsp; *.mycompany.com) - it breaks Windows supplicants&nbsp;</P> <P>EKU (Extended Key Usage):&nbsp;Server Authentication</P> <P>Encryption: RSA 2048 bits (don't need more than this) - avoid ECC for now - not many clients support it</P> <P>Signature: SHA256</P> <P>&nbsp;</P> <P>Of course the client has to trust the cert that ISE presents during the EAP negotiation.&nbsp; How you achieve this is another discussion.&nbsp; Either purchase a public CA issued cert for ISE, or issue the ISE cert via internal PKI.&nbsp; But then then you need to push that PKI cert chain to all the clients.</P> <P>&nbsp;</P> <P>This is pretty well documented in the ISE Admin Guide</P> Wed, 07 Nov 2018 02:12:43 GMT https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740665#M488605 Arne Bier 2018-11-07T02:12:43Z https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740766#M488608 Adding to the above, here is the document which you can follow : <A href="https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html</A><BR /><BR />Also, your question is titled Mobail certificate and if you are looking for EAP-TLS with mobile devices, then you could potentially be looking at BYOD for which the documentation is here <A href="https://community.cisco.com/t5/security-documents/ise-byod/ta-p/3641689" target="_blank">https://community.cisco.com/t5/security-documents/ise-byod/ta-p/3641689</A><BR /><BR /> Wed, 07 Nov 2018 03:44:59 GMT https://community.cisco.com/t5/network-access-control/mobail-certificate/m-p/3740766#M488608 Surendra 2018-11-07T03:44:59Z