topic Re: Can ISE 3.2 be configured as Cert Auth? in Network Access Control

Can ISE 3.2 be configured as Cert Auth?

oscardenizjensen — Fri, 25 Oct 2024 10:26:29 GMT

Hej
I have a lab environment, and currently don't have a CA in the lab

I was wondering whether I could configure ISE itself as a CA to issue client certs for lab testing purposes. Do I need an external CA regardless?

Re: Can ISE 3.2 be configured as Cert Auth?

Rob Ingram — Fri, 25 Oct 2024 10:36:28 GMT

@oscardenizjensen ISE does have a built-in CA, generally it is only used for BYOD scenarios to distribute client certificates and signing pxGrid certificates. So you can use the ISE CA to distribute a certificate to a client.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-640661554

In a normal ISE deployment, organisations would use an Enterprise CA (such as Microsoft CA) to distribute and manage certificates.

Re: Can ISE 3.2 be configured as Cert Auth?

oscardenizjensen — Fri, 25 Oct 2024 10:43:11 GMT

I wanted it mostly for anyconnect testing on windows machines in lab with a Cert&AAA login

Re: Can ISE 3.2 be configured as Cert Auth?

Rob Ingram — Fri, 25 Oct 2024 10:48:14 GMT

@oscardenizjensen so use the ISE CA to generate the certificate and import that to the client and as long as ISE and the client mutually trust their certificates it should work.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

Re: Can ISE 3.2 be configured as Cert Auth?

Arne Bier — Sun, 27 Oct 2024 23:17:36 GMT

As an easy alternative to make some certs, take a look at the excellent XCA tool - there are very good guided steps on creating a CA, and then makig client certs - it's open source and well maintained. GUI versions for all desktop OS's.