https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819491#M56732 <P>HI Attila,</P> <P>It seems your question is specifically for client / user certificate. <A href="https://technet.microsoft.com/en-us/library/cc731363%28v=ws.10%29.aspx">Certificate Requirement with PEAP &amp; EAP</A></P> <P>If you're planning to use wild card certificate. Please ensure you follow this document to get the right certificates. <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1171325">Wild Card with ISE</A></P> <P><BR />The Enhanced Key Usage field identifies the intended purpose of the certificate and needs to contain Client Authentication. This field is mandatory when you use the Microsoft supplicant for PEAP and EAP-TLS.</P> <P>If you request a certificate with the use of a CSR with Microsoft Certificate Services, you do not have the option to specify the Intended Purpose with the Standalone CA. Therefore, the EKU field is absent. With the Enterprise CA, you have the Intended Purpose drop-down. Some CAs do not create certificates with an EKU field. They are useless when you use the Microsoft EAP supplicant.</P> <P></P> <P>Regards,</P> <P>Jatin</P> <P></P> <P></P> <P></P> Sun, 15 Nov 2015 08:35:25 GMT Jatin Katyal 2015-11-15T08:35:25Z https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819489#M56728 <P>Hi,&nbsp;</P> <P>We would like to connect our corporate tablets and mobile devices to a restricted network - without implementing classic BYOD features like&nbsp;</P> <P>self-provisioning but with certificate based only authentication (EAP-TLS).</P> <P>(Our Helpdesk will handle the certificate install, wireless network set, etc.)</P> <P>The WLC side is configured to handle the TLS, and now we try to generate certificates. To Ipad, to Android (Galaxy Tab 3 KITKAT), and to iphone.</P> <P>Is there any special certificate requirements to implement this?</P> <P>What should certificate EKU field contain?&nbsp;</P> Mon, 11 Mar 2019 06:13:48 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819489#M56728 Attila Horvath 2019-03-11T06:13:48Z https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819490#M56731 <P>I think&nbsp;this doc may be useful:</P> <P>http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html</P> <P>It has some details on the EKU field and certificate template.</P> <P>Other consideration: if you are planning to issue wildcard certificate to the clients, make sure the subject doesn't contain the wildcard or windows clients will have problem.&nbsp;</P> Thu, 12 Nov 2015 23:13:23 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819490#M56731 kurmai 2015-11-12T23:13:23Z https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819491#M56732 <P>HI Attila,</P> <P>It seems your question is specifically for client / user certificate. <A href="https://technet.microsoft.com/en-us/library/cc731363%28v=ws.10%29.aspx">Certificate Requirement with PEAP &amp; EAP</A></P> <P>If you're planning to use wild card certificate. Please ensure you follow this document to get the right certificates. <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_cert.html#pgfId-1171325">Wild Card with ISE</A></P> <P><BR />The Enhanced Key Usage field identifies the intended purpose of the certificate and needs to contain Client Authentication. This field is mandatory when you use the Microsoft supplicant for PEAP and EAP-TLS.</P> <P>If you request a certificate with the use of a CSR with Microsoft Certificate Services, you do not have the option to specify the Intended Purpose with the Standalone CA. Therefore, the EKU field is absent. With the Enterprise CA, you have the Intended Purpose drop-down. Some CAs do not create certificates with an EKU field. They are useless when you use the Microsoft EAP supplicant.</P> <P></P> <P>Regards,</P> <P>Jatin</P> <P></P> <P></P> <P></P> Sun, 15 Nov 2015 08:35:25 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-requirements-for-eap-tls/m-p/2819491#M56732 Jatin Katyal 2015-11-15T08:35:25Z