topic ISE 1.2 and iPEP Certificate Requirements in Network Access Control

ISE 1.2 and iPEP Certificate Requirements

Octavian Szolga — Mon, 11 Mar 2019 04:18:46 GMT

Hi,

For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:

Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur certificate.

[http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]

Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..

Any thoughts?

Thank you,

Octavian

ISE 1.2 and iPEP Certificate Requirements

Javier Henderson — Thu, 30 Jan 2014 01:32:46 GMT

Octavian,

The same requirements apply.

Javier Henderson

Cisco Systems

ISE 1.2 and iPEP Certificate Requirements

Saurav Lodh — Thu, 30 Jan 2014 05:25:21 GMT

The EKU validation has been removed in version 1.2

"If you configure ISE for services such as Inline Policy Enforcement Point (iPEP), the template used in order to generate the ISE server identity certificate should contain both client and server authentication attributes if you use ISE Version 1.1.x or earlier. This allows the admin and inline nodes to mutually authenticate each other. The EKU validation for iPEP was removed in ISE Version 1.2, which makes this requirement less relevant."

Source:

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml