topic Re: ISE Dot1.x Certificates and OCSP in Network Access Control

ISE Dot1.x Certificates and OCSP

netops4 — Fri, 12 Apr 2024 14:59:53 GMT

So I'd like to use ISE to authenticate then authorise a device based on an external CA presented during 802.1x. I'd also like ISE to use an OCSP check for the validity of this cert.

What are the steps to get this to work? Do i need to import the root ca into ISE? How do i configure ISE to use OCSP?

What would the authentication match statement look like?

Re: ISE Dot1.x Certificates and OCSP

Rob Ingram — Fri, 12 Apr 2024 15:10:55 GMT

@netops4 you import the root certificate to ISE "trusted certificates" under that certificate you configure certificate status validation to use OCSP.

For AuthC match you can match on EAP-TLS, for AuthZ you can match on an attribute from the certificate (certificate template, issuer etc).

If you want to perform a lookup against AD you can also use a Certificate Authentication Profile (CAP).

Re: ISE Dot1.x Certificates and OCSP

MHM Cisco World — Fri, 12 Apr 2024 15:14:51 GMT

https://networkwizkid.com/working-with-certificate-revocation-lists-and-cisco-ise/

Check this

MHM

Re: ISE Dot1.x Certificates and OCSP

glsparks — Wed, 17 Apr 2024 14:22:23 GMT

If its a distributed deployment of ISE. Is it just a case of literally importing the root ca to the Primary Admin node? Or do i need to do somehow get the cert onto all the PSNs too?

Re: ISE Dot1.x Certificates and OCSP

Aref Alsouqi — Wed, 17 Apr 2024 14:56:44 GMT

You just need to do that on the PAN.