topic Re: ISE Cert for IOT devices in Network Access Control

ISE Cert for IOT devices

cxo-179682 — Wed, 06 Jan 2021 08:17:34 GMT

Hi Experts,

Trying to deploy certificate from ISE to IOT devices for security purposes, but can anyone share which docs can i refer to ?

- create iot device cert from ISE (export to device)

- import ISE cert to the device

- authenticate based on the cert provided (authentication and authorization profiles)

I've been searching the docs, but been going in circles and couldnt find a complete doc.

TIA

Re: ISE Cert for IOT devices

Marvin Rhoads — Wed, 06 Jan 2021 08:45:50 GMT

For a device to present a certificate to ISE for network authentication it must have and be using an 802.1x supplicant. Do your IoT devices have that? (Most don't)

Re: ISE Cert for IOT devices

cxo-179682 — Wed, 06 Jan 2021 22:37:34 GMT

We are only enabling those that support 802.1x and there are a handful, where we can import the cert & enable dot1x.

I'm exploring on how to create/generate the cert from ISE and export it to be imported to the said device to be authenticated.

Re: ISE Cert for IOT devices

Arne Bier — Sun, 10 Jan 2021 21:05:17 GMT

Hello @cxo-179682

You can use ISE pxGrid as your CA to generate client certificates for your IOT devices. I believe you might need the Plus License installed to see the menu option.

The name 'pxGrid' is a bit misleading since in your case it has nothing to do with pxGrid- don't worry - you can generate certs for client devices and in the end it spits out a .zip file that contains all the bits you need. You can even create a cert using a .csr (from your IOT device or OpenSSL) or generate the cert from scratch.

The cert template is defined in ISE and it will populate the cert attributes in a certain way - but it should be good enough for most purposes.

As a client cert you need the EKU (Enhanced Key Usage) to be "Client Certificate' - pxGrid will set the cert to Server and Client - nice!

Re: ISE Cert for IOT devices

cxo-179682 — Tue, 12 Jan 2021 23:01:40 GMT

Thanks for your suggestion for PxGrid, but we do not have the Plus license, hence couldnt use it 😞

Any other suggestion on how i can generate the cert from ISE (to be trusted from the iot device) ?

Re: ISE Cert for IOT devices

Arne Bier — Wed, 13 Jan 2021 19:56:35 GMT

You could get a 90 day eval of the Plus license (100 endpoints). I am quite certain that once you have created those certificates, they won’t disappear from the system after the 90 days. You might just get a license expiration warning.
100 Plus licenses should not be too expensive in the long run.

Re: ISE Cert for IOT devices

cxo-179682 — Thu, 14 Jan 2021 07:40:54 GMT

Thanks again for your prompt assistance.

Ive managed to get the zip file with all the certs required and imported to the IOT (enabled dot1x).

Created Authentication profile based on the Certificate profile (with relevant Authorization profile to permit the device with specific VLAN)

But, its not hitting/matching the Authentication profile that i wanted for it to check/read the certificate details.

Apology if this sounds 'stupid', but i couldnt find a proper document for this anywhere..as im getting in circles or im looking it at the wrong place.

Re: ISE Cert for IOT devices

Arne Bier — Thu, 14 Jan 2021 21:25:07 GMT

I would send some screen shots but I am not near a computer at the moment. The authentication Policy Set needs an allowed Protocols that allows eap-tls and the authentication itself references a certificate profile that specifies if there are parts of the cert that you want to look up (eg the Subject or SAN) etc.

have a look at the lab minute series video. This is video 1

https://www.labminutes.com/sec0274_ise_22_wireless_dot1x_eap_tls_peap_1

Re: ISE Cert for IOT devices

cxo-179682 — Tue, 19 Jan 2021 01:22:39 GMT

Thanks again for your reply, and i did have a look at the video before.

Yes, I've done below on the ISE :

- Allowed PEAP & EAP-TLS protocol

- Authentication Profile matching the Certificate profile ive created matching SAN (created via pxGrid)

As for the client/supplicant :

- enabled 802.1x using certificate (eap-tls)

- imported only machine cert created from pxGrid (there are a lot of other file which i dont think is needed, i maybe wrong again)

But still not 'hitting' the authentication policy ive created 😞

Re: ISE Cert for IOT devices

Arne Bier — Tue, 19 Jan 2021 03:32:52 GMT

post some screen shots of the Policy Set - details of the Authentication, and Authorization please.

Do you use the NAS (NAD) for anything else in that ISE server? Have you added it to the ISE Devices List and is the Radius shared secret correct? Is the NAS/NAD configured correctly with the ISE IP address and shared secret?

Is this wired or wireless?

Re: ISE Cert for IOT devices

cxo-179682 — Tue, 19 Jan 2021 05:09:05 GMT

This is an existing setup, hence all the relevant NAS-CIsco SW (shared secret) are already in place. Below are the snippets :

1- Certificate Template

2- Certificate Profile

3- Authentication Policy (apology, have to amend some of the information due to Prod setup)

During testing, the device does not hit/match the IOT-Cert authentication policy at all, hence it wont be matching the authorization i wanted it to match.

Re: ISE Cert for IOT devices

Arne Bier — Tue, 19 Jan 2021 20:50:41 GMT

Great screen shots - that helps a lot.

Since this is an IOT device, are you 100% sure that the supplicant is correctly configured? In other words, is it sending EAPOL frames towards the switch? You might want to run a tcpdump on the ISE PSN node to confirm that the RADIUS packets do indeed contain EAP payload.

Here is a handy command to test whether the attached client speaks EAPOL (perhaps hardcode the port to access vlan in order to bring the interface up before running this test)

Test device on access switch port to see whether it has a configured supplicant

9300# term monitor

9300# dot1x test eapol-capable interface te 1/0/46

Mar 27 23:40:29.175: %DOT1X-4-INFO_EAPOL_PING_RESPONSE: Switch 1 R0/0: sessmgrd: The interface Te1/0/46 has an 802.1x capable client with MAC 7872.5d3f.a55a

When you connect the IOT device, what is the end result? Do you see EAP processing on the switch? Do you see the Steps that ISE took to process the Auth request in the Details?

I am not 100% sure that having two identical Authentication Conditions (Wired 802.1X AND EAP-TLS) will allow you to process the second Rule (e.g. Laptop-Cert) in your case. If laptop or IOT comes along with wired 802.1X and EAP-TLS then Rule 1 is satisfied - and then the cert processing is done and AD lookup etc. - if that fails, then I don't think ISE will continue to Rule 2. I would make each Rule a bit more specific, by including another AND operand such as "CERTIFICATE Issuer = 'blah'" to tell ISE to use that Rule unambiguously.

Re: ISE Cert for IOT devices

cxo-179682 — Tue, 19 Jan 2021 22:24:02 GMT

Thanks again for some of the troubleshooting steps, i will proceed to to test the port to confirm the IOT dot1x capabilities (well, the vendor did mentioned he tested with others and it worked, and it's configured for dot1x with eap-tls, which ive checked)

Ive tried to find a way to 'consolidate' both certificate option for Laptop and IOT, but couldn't, hence i created a 2nd authentication profile.

I'm sure this is being used in other organisation where different certificate will be use or need to check. (this is where i did mentioned that i couldn't find the appropriate documentation)

Re: ISE Cert for IOT devices

Arne Bier — Wed, 20 Jan 2021 22:05:23 GMT

Let us know how you get on.

When dealing with multiple EAP-TLS client cert "types" from the same NAS, then you can distinguish them during Authentication using the method I proposed. I have done this in a number of projects. You have access to the CERTIFICATE attributes during authentication, and therefore you can point ISE in the right direction regarding WHICH certificate attribute you are interested in for authentication (certificate profile selection).

The Policy Set will not continue processing if you have matched a Rule, but then proceed to fail during Authentication (e.g. IOT client cert comes along, and you perform auth using the Employee client profile ... Authentication should(will) fail - and then the Access-Reject is sent to the NAS - end of story). You don't get to "fail through" to the next rule. There is an option in Authentication called "If Auth Fail 'Continue'" - but Continue in this case means, continue to Authorization (and bypass Authentication).

Re: ISE Cert for IOT devices

cxo-179682 — Thu, 21 Jan 2021 23:23:58 GMT

I think i managed to get it worked after few tries, as im not sure is the IOT device or ISE configuration issue :

1- No separate certificate profile needed (if there's one in place already)

2- Create cert via pxgrid (as suggested by you)

3- Imported Root and Machine cert to the IOT device (enabled 802.1x)

4- Create an authorization profile matching the cert details and assign appropriate access

Tested few devices and it worked 🙂 but I've been advised to use ISE PKI certificate instead of pxGrid.

Re: ISE Cert for IOT devices

Arne Bier — Fri, 22 Jan 2021 00:52:57 GMT

congrats. If you have found any of our interactions useful then you can tick the "helpful" icon and then eventually click the button "Accept as Solution" 🙂

Re: ISE Cert for IOT devices

shreyiot — Fri, 22 Sep 2023 08:55:59 GMT

To deploy certificates from Cisco Identity Services Engine (ISE) to IoT devices for enhanced security, you can follow these steps:

Generate an IoT device certificate on ISE: Access ISE's Certificate Authority (CA) to create a certificate for the IoT device. Ensure it's configured with the necessary details and exportable.
Import ISE certificate to the device: Install the ISE CA certificate on the IoT device's certificate store, allowing the device to trust certificates issued by ISE.
Configure authentication and authorization profiles: Set up authentication policies in ISE, associating them with the IoT device certificate. Create authorization profiles that define access rights based on the device's certificate attributes.
Test authentication: Verify the setup by having the IoT device attempt to connect, utilizing its certificate for authentication. Ensure the ISE policies correctly grant or deny access based on the certificate attributes.

While Cisco provides documentation, consider consulting Cisco's official documentation and forums for more detailed instructions tailored to your specific ISE and device configurations.