cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

82
Views
0
Helpful
3
Replies
Beginner

Cisco ISE as certificate manager.

Hello, can i use Cisco ISE as certificate manager in my network?

I need to install self-signed certificates from multiple not ise servers on user devices when they connecting to network. 

Can i do it with ISE? If it possible can somebody share link how to do it ?

Thanks



1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Re: Cisco ISE as certificate manager.

You want to use ISE as an MDM or Group Policy type of system?  That's not possible as far as I know.

 

Not sure why you want to do what you're describing. Installing self-signed certificates on end devices? What are these devices and what do they use the certificates for?

 

By using the BYOD onboarding tools in ISE you can push certs and profiles to devices, but those certs are created either by ISE itself (Internal CA) or via a SCEP Proxy function to another CA. The SCEP enrollment is performed on the end devices during BYOD and this means that you cannot use ISE to unconditionally push certificates onto a device.

ISE does have a Certificate Self Service Portal option to allow you to create certs using ISE's Internal CA, and then the user can download the cert (and private key) and install that on a target device. But that would be a manual download and install.  As far as I know, you can email a certificate to an iPhone and the phone will prompt you to install it. Not sure if that also works for a private key - I kind of doubt it.

View solution in original post

3 REPLIES 3
Highlighted
VIP Advocate

Re: Cisco ISE as certificate manager.

You want to use ISE as an MDM or Group Policy type of system?  That's not possible as far as I know.

 

Not sure why you want to do what you're describing. Installing self-signed certificates on end devices? What are these devices and what do they use the certificates for?

 

By using the BYOD onboarding tools in ISE you can push certs and profiles to devices, but those certs are created either by ISE itself (Internal CA) or via a SCEP Proxy function to another CA. The SCEP enrollment is performed on the end devices during BYOD and this means that you cannot use ISE to unconditionally push certificates onto a device.

ISE does have a Certificate Self Service Portal option to allow you to create certs using ISE's Internal CA, and then the user can download the cert (and private key) and install that on a target device. But that would be a manual download and install.  As far as I know, you can email a certificate to an iPhone and the phone will prompt you to install it. Not sure if that also works for a private key - I kind of doubt it.

View solution in original post

Beginner

Re: Cisco ISE as certificate manager.

Yeah, something around mdm. But due to policies some devices can not be enrolled into MDM.  

I want do remove message from web browsers that my internal sites have untrusted certificates. I m trying to create self signed certificate like i am CA and set this devices to trust this certificate automatically. I thought it can be automated by ise. 

Cisco Employee

Re: Cisco ISE as certificate manager.

These are separate things

ISE can be a CA to deploy certificates for endpoints to authenticate to the network with using dot1x and EAP-TLS. Ise trust these certs as it is the CA for this communication. The client also trusts ise as it should have a well known root for this process

ISE needs a well known certificate on the PSN so that when a client communicates with any services it doesn’t display an unknown certificate warning of non-trust. This is mainly for byod guest

ISE cannot push out a certificate chain to a client so that it trusts ISE. This is a role of a group policy server . You can have your own PKI through Microsoft internally for example. The certificate chain would be shared with all your domain machines so that when your clients try to access the admin sponsor or my devices portal they trust ise as it has a cert internally from corporate pki and trusts the internal chain

You would not use this for clients trying to access guest or byod portals as they are likely not domain machines in your control. This would be against best practices and hard to manage as well

Ise certificates guide
https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897