topic Re: ISE BYOD handling of expired or expiring certs in Network Access Control

ISE BYOD handling of expired or expiring certs

hnohre — Wed, 01 Feb 2017 18:35:42 GMT

I know we have the option since some time back to allow a client whose cert is expired/expiring to the onboarding portal.

I also remember some good slides (ISE techtorial or similar) that described the config to cover for different client OS...

Can anyone point me to those slides?

Regards

Hakan

Re: ISE BYOD handling of expired or expiring certs

howon — Wed, 01 Feb 2017 19:08:20 GMT

Maybe others can followup regarding the deck, but the configuration is same for any client OS. There is an attribute in the authorization condition called 'CERTIFICATE:Days to Expiry'. With that you can craft an Authorization policy rule that reads, 'If CERTIFICATE:Days to Expiry is less than 15 days, then assign BYOD flow' which forces user to go through the BYOD process again. Now if the certificate already expired, then the endpoint will not be able to associate to the secured WLAN as ISE will deny access due to invalid certificate, to cover that scenario, you can allow dual-SSID BYOD flow in the guest WLAN and force them through BYOD flow when employee user logs into the guest portal.

Re: ISE BYOD handling of expired or expiring certs

kthiruve — Wed, 01 Feb 2017 19:19:06 GMT

Here is the screenshot of what is supported as part of CERTIFICATE attribute that you can add as part of authorization condition in the authorization policy under BYOD.

Re: ISE BYOD handling of expired or expiring certs

Arne Bier — Tue, 25 Sep 2018 04:59:06 GMT

Hi @howon

I have ISE 2.4 patch 3 and I am testing what happens when a BYOD user is authenticated with a client cert that is about to expire.

I catch that condition in Authorization Policy, and I use an Authorization Profile as follows

Web Redirection = Native Supplicant Provisioning

On the client, I can get redirected and I see the following screen - the error seems to make sense - how does ISE know the user's identity, when they immediately get redirected to the NSP Portal without any authentication?

When I initially on boarded this user, I did it via Guest Portal - and there I can of course authenticate the user. How does it work if I redirect directly to the NSP BYOD portal?

Re: ISE BYOD handling of expired or expiring certs

howon — Tue, 25 Sep 2018 06:53:38 GMT

Arne, actually you caught my error there. You should create a CWA portal that forces BYOD for employees instead of BYOD portal and use it during expired certificate flow on 802.1X WLAN. Quick step here:

1. Create CWA portal that forces employee to go through BYOD (You can reuse existing one if present already)

2. Create AuthZ profile for CWA, make sure to check 'Display Certificates Renewal Message' option

3. Create policy that gets matched for 802.1X WLAN that user connects to using the certificate as following: "If CERTIFICATE:Days to Expiry LESS X" then assign the AuthZ profile created above

Now, when the user connects to the 802.1X WLAN with the certificate nearing expiry, the user will get redirected per policy you created, and due to the 'Display Certificates Renewal Message' option used in the AuthZ profile, ISE will append 'daysToExpiry=Y' parameter at the end of the URL redirect string as shown below:

https://ise.example.com:8443/portal/PortalSetup.action?portal=babebabe...babebabe&sessionId=abeabeabe...abeabe&action=cwa&redirect=www.cisco.com%2F&daysToExpiry=11

User will be forced to login to the portal and then the BYOD renewal process will start. Instead of seeing 'Start' button, user will see 'Renewal' button.

Re: ISE BYOD handling of expired or expiring certs

daniel.landry — Tue, 23 Oct 2018 18:01:18 GMT

Is there an update on this issue?

Is the only way to renew a BYOD certificate is through CWA?

Thanks

Re: ISE BYOD handling of expired or expiring certs

Jason Kunst — Tue, 23 Oct 2018 18:03:25 GMT

Yes that’s the only way for the client to be redirect to do so. This is not an MDM solution so we have no controls over the endpoint OS

Re: ISE BYOD handling of expired or expiring certs

daniel.landry — Tue, 23 Oct 2018 18:11:15 GMT

no other way to renew without redoing the onbooarding process?
no difference in dual or single SSID?

Re: ISE BYOD handling of expired or expiring certs

Jason Kunst — Tue, 23 Oct 2018 18:41:25 GMT

Client needs new cert and that cert associated to the supplicant profile for EAP-TLS. That’s the only way outside of MDM

Page 36 - https://community.cisco.com/t5/security-documents/cisco-ise-byod-deployment-guide/ta-p/3641867

Re: ISE BYOD handling of expired or expiring certs

daniel.landry — Tue, 23 Oct 2018 21:02:13 GMT

And with this setup (single SSID):

when the certificate is expired, does the user simply enter the NSP process to reinstall a valid certificate ?

therefore, no CWA with single SSID ?

Re: ISE BYOD handling of expired or expiring certs

daniel.landry — Wed, 24 Oct 2018 19:54:46 GMT

After a few thoughts and tries, I think my question was not really understandable. In this scenario, i think the renouncement is also done by CWA !?

Re: ISE BYOD handling of expired or expiring certs

howon — Wed, 24 Oct 2018 20:06:36 GMT

We force CWA as we need to confirm the user credential for the re-issuance of certificate. This is a way of making sure the user is indeed the user who was issued the certificate. Without this, any user who has access to the certificate pair would be able to gain access indefinitely. If this is not desired, then recommend extending the validity date.

With your policy, when the certificate expires, user will be denied access to the secure SSID unless ISE is configured to allow expired certificates. If you want to allow renewal flow then follow my example above where you are forcing CWA for secured SSID. Alternatively, user can connect to open/guest SSID to renew certificate provided that BYOD is enabled on open/guest SSID flow.

Re: ISE BYOD handling of expired or expiring certs

Andrej Sumak — Thu, 27 Nov 2025 10:50:19 GMT

Was this condition 'CERTIFICATE:Days to Expiry' removed from ISE in the 3.x versions?
I´m running 3.2 P8 and the condition cannot be used/found anymore in the condition builder. Picture attached.