https://community.cisco.com/t5/network-access-control/cisco-ise-allowing-expired-endpoint-certificates/m-p/3511345#M519301 <HTML><HEAD></HEAD><BODY><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">We have a unique situation where we have a customer deployment where Windows machines are built with a machine certificate and stored in various locations ready for deployment. However the Issuing certificate Server expires soon, which means that these machine certificates would have expired before they are unboxed and allowed to do the normal certificate auto enrolment.&nbsp; Cisco ISE will deny access by default to expired certificates, which is the default behaviour as i understand it, see extract below</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> </SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">"</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 25.0pt; font-family: 'inherit',serif; color: blue;">User and Endpoint Certificate Renewal</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 17.0pt; font-family: 'inherit',serif; color: blue;">By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate</SPAN><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">."</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> </SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="font-size: 9.0pt; font-family: 'inherit',serif;">Question 1</STRONG><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> - Is this for the ISE internal CA issued certs or any Organisation CA certs?</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> </SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="font-size: 9.0pt; font-family: 'inherit',serif;">Question&nbsp; 2</STRONG><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> - I found an article which says you can change this by looking at the "</SPAN><SPAN style="font-size: 10.5pt; font-family: 'inherit',serif; color: red;">CertRenewalRequired</SPAN><SPAN style="font-size: 10.5pt; font-family: 'Arial',sans-serif; color: #58585b;">" Authorisation, will this work for a Organisations Microsoft CA issued certs, i..e Mycompany.com CA server cert on client, can we permit access to if the cert is expired using this authorisation check.</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; font-family: 'Arial',sans-serif; color: #58585b;"><BR /> <BR /> </SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 21.5pt; font-family: 'inherit',serif; color: blue;">"Authorization Policy Condition for Certificate Renewal</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 17.0pt; font-family: 'inherit',serif; color: blue;">You can use the CertRenewalRequired simple condition (available by default) in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further."</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">Thanks Khalid</SPAN></P></BODY></HTML> Wed, 06 Dec 2017 14:53:13 GMT khalid_mahmood 2017-12-06T14:53:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-allowing-expired-endpoint-certificates/m-p/3511345#M519301 <HTML><HEAD></HEAD><BODY><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">We have a unique situation where we have a customer deployment where Windows machines are built with a machine certificate and stored in various locations ready for deployment. However the Issuing certificate Server expires soon, which means that these machine certificates would have expired before they are unboxed and allowed to do the normal certificate auto enrolment.&nbsp; Cisco ISE will deny access by default to expired certificates, which is the default behaviour as i understand it, see extract below</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> </SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">"</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 25.0pt; font-family: 'inherit',serif; color: blue;">User and Endpoint Certificate Renewal</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 17.0pt; font-family: 'inherit',serif; color: blue;">By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate</SPAN><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">."</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> </SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="font-size: 9.0pt; font-family: 'inherit',serif;">Question 1</STRONG><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> - Is this for the ISE internal CA issued certs or any Organisation CA certs?</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> </SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="font-size: 9.0pt; font-family: 'inherit',serif;">Question&nbsp; 2</STRONG><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;"> - I found an article which says you can change this by looking at the "</SPAN><SPAN style="font-size: 10.5pt; font-family: 'inherit',serif; color: red;">CertRenewalRequired</SPAN><SPAN style="font-size: 10.5pt; font-family: 'Arial',sans-serif; color: #58585b;">" Authorisation, will this work for a Organisations Microsoft CA issued certs, i..e Mycompany.com CA server cert on client, can we permit access to if the cert is expired using this authorisation check.</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; font-family: 'Arial',sans-serif; color: #58585b;"><BR /> <BR /> </SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 21.5pt; font-family: 'inherit',serif; color: blue;">"Authorization Policy Condition for Certificate Renewal</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 17.0pt; font-family: 'inherit',serif; color: blue;">You can use the CertRenewalRequired simple condition (available by default) in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further."</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.0pt; font-family: 'inherit',serif;">Thanks Khalid</SPAN></P></BODY></HTML> Wed, 06 Dec 2017 14:53:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-allowing-expired-endpoint-certificates/m-p/3511345#M519301 khalid_mahmood 2017-12-06T14:53:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-allowing-expired-endpoint-certificates/m-p/3511346#M519303 <HTML><HEAD></HEAD><BODY><P>Khalid,</P><P></P><P>Machine authentication with certs is used with 802.1x&nbsp; and Microsoft(MS) CA typically. Your MS CA infrastructure is integrated with AD. ISE internal CA will work with BYOD devices and cannot be used for 802.1x machine authentication.</P><P></P><P>Cert renewal policy conditions typically apply to internal CA. If you have an external CA, ISE does request in cert renewal if it is a SCEP proxy or configured as RA. Again this is applicable only for BYOD flow.</P><P></P><P>So your best option at this point is not to use machine auth using certs and may be use machine credentials since this is already part of AD I assume. Then re-enroll your machines for certificate once the CA server is corrected. </P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Wed, 06 Dec 2017 20:20:46 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-allowing-expired-endpoint-certificates/m-p/3511346#M519303 kthiruve 2017-12-06T20:20:46Z