Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
5
Replies

Dot1x on my wired network using ISE as the authenticator and utilizing

gabriellimacaitano
Level 1
Level 1

‎03-27-2024 04:52 AM

Hello everyone, how are you?

I'm looking to implement Dot1x on my wired network using ISE as the authenticator and utilizing certificates via TLS. I'd like to know if there's a way to generate the certificate directly on ISE and install it on the machines. I've searched through some Cisco documentation sources and couldn't find anything addressing this.

Has anyone done this before? Could you share your opinion on it?

Thanks.

 

 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-27-2024 04:57 AM

ISE can act as CA and generate  Certificate but i do not believe that ISE can install Certificate on end device ?

you need to find a GPO or kind of SCCM tool to push certificate to all devices.

https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/distribute-certificates-group-policy

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

gabriellimacaitano
Level 1
Level 1
In response to balaji.bandi

‎03-27-2024 04:59 AM

Hello Hall of Fame member balaji.bandi, thank you for responding. So, can I use ISE as the certificate authority and then generate the certificate and install it on Windows via GPO? That's what I was hoping for, my friend.

 
 
 
 
 
 
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gabriellimacaitano

‎03-27-2024 07:32 AM

While you CAN use the ISE internal CA to enroll end devices, almost nobody does so. I have never once seen it used thus in working on over 100 customer ISE deployments.

Almost everybody who uses Microsoft AD uses the Certificate Services available on Windows Server - it integrates much better with your domain computers. People who opt not to use AD typically use a third party device management tool (or even Microsoft Intune in the cloud) to enroll computers and issue certificates (among other things).

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to gabriellimacaitano

‎03-28-2024 12:57 AM

yes you can use, But i was in line view @Marvin Rhoads said, if you have AD infrastructure, then why not use Windows PKI Service.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents