topic ISE and Admin Certificate - why Client Auth EKU warning during import? in Network Access Control

ISE and Admin Certificate - why Client Auth EKU warning during import?

Arne Bier — Mon, 16 Oct 2017 04:27:04 GMT

I imported a new cert into my ISE 2.2 nodes for the Admin usage.

I am able to browse to the web page of those PSN's just fine and it's loading the new cert.

Below is a subsection of the cert

X509v3 extensions:

X509v3 Key Usage: critical

Digital Signature, Key Encipherment

1.3.6.1.4.1.311.21.7:

X509v3 Extended Key Usage:

TLS Web Server Authentication

1.3.6.1.4.1.311.21.10:

When I imported the cert, I got the error below: why is this EKU relevant for the Admin usage? Or is this just a nag message?

If I assign that same certificate to the EAP usage, will EAP-TLS not work? I seem to remember that the Client Authentication has to be present in the ISE cert for the purposes of EAP-TLS. For EAP-PEAP this is not required because the client doesn't present a client certificate to the AAA server. So in that case the warning should only appear if I attempt to apply the cert to the generic 'EAP usage'.

Re: ISE and Admin Certificate - why Client Auth EKU warning during import?

hslai — Mon, 16 Oct 2017 06:02:25 GMT

Yeah, it's just a nag message.

An ISE system certificate can potentially be used for client authentications; e.g. pxGrid subscriptions or connecting to an external HTTPS or LDAPS server.

For EAP usage in general, an ISE system certificate does not require client authentication in EKU. Only endpoint certificates do.

Re: ISE and Admin Certificate - why Client Auth EKU warning during import?

Arne Bier — Mon, 16 Oct 2017 11:02:47 GMT

thanks - now I think I finally understood it.