https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347479#M598986 <P class="lia-align-justify"><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;this is one of those questions that, once I read it, I couldn't get out of my head.&nbsp; :&nbsp; )</P> <P class="lia-align-justify">&nbsp;At this exact moment, I don't have a Use Case for it yet, but thank you for pointing it out; some checkboxes end up going unnoticed by me, and this was one of them.</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Some <STRONG>Bug ID</STRONG> references:</P> <P class="lia-align-justify"><A href="https://bst.cisco.com/bugsearch/bug/CSCvz78531" target="_blank" rel="noopener">CSCvz78531 Add human readable outputs in the live logs detailed report when KU or EKU attributes are missing</A></P> <P class="lia-align-justify"><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz78547" target="_blank" rel="noopener">CSCvz78547 ISE admin guide should specify that there is a way to bypass the mandatory Key Usage</A></P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">and this old Post:&nbsp;<A href="https://community.cisco.com/t5/cisco-bug-discussions/cscvz78531-eap-tls-human-readable-live-log-error-messages-needed/td-p/4477061" target="_blank" rel="noopener">EAP-TLS human readable live log error messages needed</A>.</P> <P class="lia-align-justify">"<EM> ... Per <STRONG>TAC</STRONG> the requirement/check for <STRONG>Key Encipherment</STRONG> was added in <STRONG>ISE 2.3</STRONG> ...</EM> "</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Note:&nbsp;I added your question to my list; if I find the answer, I'll post it here !</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Best regards</P> <P class="lia-align-justify">&nbsp;</P> Mon, 17 Nov 2025 00:29:11 GMT Marcelo Morais 2025-11-17T00:29:11Z https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5341246#M598671 <P>Does anyone know what a valid use case is for unchecking this box?</P> <P>According to my experience, it tries to enforce RFC 5280. But in reality, unchecking this box can break 802.1X authentications. In particular, devices that are authenticating with 802.1AR IDevID certificates. I validated this with one vendor (Axis) who implement 802.1AR certs, and according to the IEEE document for that spec, there is no requirement for an EKU (and Axis don't include it) and the spec also says NOT to include the Key Usage for these certs.</P> <P>802.1AR is a very good initiative to make onboarding of devices easier using EAP-TLS - there seems to be a disconnect somewhere between the RFC 5280's pipe dream of better security, and the IEEE's vision of plug and play EAP-TLS.&nbsp;</P> <P>Bottom line - don't uncheck that box unless you know 100% why you are doing it.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ArneBier_0-1761187438120.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/254071i291B5D21F9846A44/image-size/large?v=v2&amp;px=999" role="button" title="ArneBier_0-1761187438120.png" alt="ArneBier_0-1761187438120.png" /></span></P> <P>&nbsp;</P> Thu, 23 Oct 2025 02:51:04 GMT https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5341246#M598671 Arne Bier 2025-10-23T02:51:04Z https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347479#M598986 <P class="lia-align-justify"><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;this is one of those questions that, once I read it, I couldn't get out of my head.&nbsp; :&nbsp; )</P> <P class="lia-align-justify">&nbsp;At this exact moment, I don't have a Use Case for it yet, but thank you for pointing it out; some checkboxes end up going unnoticed by me, and this was one of them.</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Some <STRONG>Bug ID</STRONG> references:</P> <P class="lia-align-justify"><A href="https://bst.cisco.com/bugsearch/bug/CSCvz78531" target="_blank" rel="noopener">CSCvz78531 Add human readable outputs in the live logs detailed report when KU or EKU attributes are missing</A></P> <P class="lia-align-justify"><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz78547" target="_blank" rel="noopener">CSCvz78547 ISE admin guide should specify that there is a way to bypass the mandatory Key Usage</A></P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">and this old Post:&nbsp;<A href="https://community.cisco.com/t5/cisco-bug-discussions/cscvz78531-eap-tls-human-readable-live-log-error-messages-needed/td-p/4477061" target="_blank" rel="noopener">EAP-TLS human readable live log error messages needed</A>.</P> <P class="lia-align-justify">"<EM> ... Per <STRONG>TAC</STRONG> the requirement/check for <STRONG>Key Encipherment</STRONG> was added in <STRONG>ISE 2.3</STRONG> ...</EM> "</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Note:&nbsp;I added your question to my list; if I find the answer, I'll post it here !</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Best regards</P> <P class="lia-align-justify">&nbsp;</P> Mon, 17 Nov 2025 00:29:11 GMT https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347479#M598986 Marcelo Morais 2025-11-17T00:29:11Z https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347481#M598987 <P>In my books, this checkbox is called the RFC 5280 kill switch.&nbsp;</P> Mon, 17 Nov 2025 01:22:48 GMT https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347481#M598987 Arne Bier 2025-11-17T01:22:48Z https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347489#M598990 <P class="lia-align-justify"><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;I loved that my friend !</P> <P class="lia-align-justify">&nbsp;</P> Mon, 17 Nov 2025 02:19:41 GMT https://community.cisco.com/t5/network-access-control/ise-accept-certificates-without-validating-purpose-will-break/m-p/5347489#M598990 Marcelo Morais 2025-11-17T02:19:41Z