https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260828#M1119584 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547823">@imanv</a> yes you can configure ISE as a subordinate of the external CA. <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#task_E458E69FA39941BBAA9799AAD7FDC644" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#task_E458E69FA39941BBAA9799AAD7FDC644</A></P> <P>Some guides on the certificate provisioning portal.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html</A></P> <P><A href="http://labminutes.com/sec0212_ise_20_certificate_privisioning_portal_1" target="_blank">http://labminutes.com/sec0212_ise_20_certificate_privisioning_portal_1</A></P> <P>&nbsp;</P> Sat, 15 Feb 2025 10:43:57 GMT Rob Ingram 2025-02-15T10:43:57Z https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260784#M1119578 <P>I need your valuable hints to find a solution to my problem. The clients must request a certificate to be able to use the network with dot1x using ISE.<BR />I have a Certificate Authority (CA) server on Windows 2019 (will upgrade soon to 2022). The Certificate Web Enrollment is unsuitable because it's based on ActiveX and has not been updated for many years. I have clients with macOS and Linux. I am looking for a on-premise solution to provide a feasible certification request for them.</P><P>Would you please tell me what your suggested solution is ?</P><P>&nbsp;</P> Sat, 15 Feb 2025 04:59:13 GMT https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260784#M1119578 imanv 2025-02-15T04:59:13Z https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260807#M1119580 <P>If you have any Windows clients, they can be issued certificates automatically via AD Group Policy. macOS clients are best managed with an enterprise management tools like Jamf or Kanji. </P> <P>I have not used it, but you may be able to use a third party solution like SCEPman (<A href="https://docs.scepman.com/" target="_blank">https://docs.scepman.com/</A>) to manage all three client types.</P> Sat, 15 Feb 2025 07:46:31 GMT https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260807#M1119580 Marvin Rhoads 2025-02-15T07:46:31Z https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260820#M1119582 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547823">@imanv</a> to add to what <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a> has already mentioned, if you require an on-premise solution to distribute certificates to the MacOS/Linux devices, you could use the bulit-in ISE CA, this allows the user to login to a portal to request the certificate to use for authentication. An MDM would be the better solution though.</P> Sat, 15 Feb 2025 09:29:26 GMT https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260820#M1119582 Rob Ingram 2025-02-15T09:29:26Z https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260826#M1119583 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>Thank you very much.</P><P>In fact I have separate domain for non-corporate users. The users are not joined to the domain. I use it just for VPN polices.</P><P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>Thanks for your hint. I think it is possible to configure ISE as subordinate Certificate server with Microsoft CA.</P><P>Would please describe a little bit more about the MDM application you may be used for on-premise deployment ?</P> Sat, 15 Feb 2025 10:43:07 GMT https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260826#M1119583 imanv 2025-02-15T10:43:07Z https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260828#M1119584 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547823">@imanv</a> yes you can configure ISE as a subordinate of the external CA. <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#task_E458E69FA39941BBAA9799AAD7FDC644" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_basic_setup.html#task_E458E69FA39941BBAA9799AAD7FDC644</A></P> <P>Some guides on the certificate provisioning portal.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html</A></P> <P><A href="http://labminutes.com/sec0212_ise_20_certificate_privisioning_portal_1" target="_blank">http://labminutes.com/sec0212_ise_20_certificate_privisioning_portal_1</A></P> <P>&nbsp;</P> Sat, 15 Feb 2025 10:43:57 GMT https://community.cisco.com/t5/network-security/client-certificate-for-802-1x-and-microsoft-ca/m-p/5260828#M1119584 Rob Ingram 2025-02-15T10:43:57Z