topic Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store? in Network Access Control

With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

kpeters011 — Thu, 02 Nov 2017 17:13:53 GMT

I'm setting up my ISE (ver 2.3.0.298) to do EAP-TLS authentication with various wireless devices. The devices are not capable of using SCEP to obtain their certificates and keys, so I am going to have to setup a laptop to request access through the ISE and have the ISE communicate to my external SCEP proxy (Microsoft Server 2012 R2) to request client certificates......

My first question is this - do all the client certificates (we may have up to 100,000 of these devices) need to be loaded into the Trusted Certificate store on the ISE (I believe they would need to for EAP-TLS to function)??

If they do need to be in the Trusted Certificate store for client certificate validation can I use a BYOD device to get certificates through the ISE BYOD portal communicating to my Microsoft MSCEP service and will the retrieved client certificates be automatically placed into the ISE Trusted Certificate store??

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

Jason Kunst — Thu, 02 Nov 2017 17:45:52 GMT

No the certificates of each client do not need to be in the trusted certificate store

You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication

Is there a reason you’re not using the internal certificate authority on ise itself?

We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide

For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

kpeters011 — Thu, 02 Nov 2017 18:11:05 GMT

Thanks Jason!

I answered my first question earlier today about client cert in Trusted store…..

In response to your question – I would use the internal ISE certificate authority if I could. Unfortunately our devices (using a TI chipset) do not support 4096-bit keys, and the internal ISE root cert used has a 4096-bit key.

I may not need to use a BYOD ‘spoof’ though since the client certificates do not need to be in the Trusted Cert store……our customer requirement currently is to use an external trusted root CA, which is why I am using a 2012 R2 server……I have options for authenticating ‘smarter’ devices and users that way as well.

I will look more at the provisioning portal as well as BYOD for other clients….thanks.

Karl Peters

858-201-8840

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

Jason Kunst — Thu, 02 Nov 2017 18:24:53 GMT

Thanks! It sounds like you’re allset