cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1067
Views
1
Helpful
4
Replies
Beginner

ISE as an Intermediate CA for BYOD

Anyone out there experienced with using ISE as an Intermediate CA for BYOD?

When using ISE as an intermediate CA we seem to get odd results in the windows client certificate issued by the BYOD process. We have observed the same in ISE 1.3 and 2.0 patch 3. Although the cert works, certificate information seems to be missing info we normally see as you can see in the screen captures below.

I would have thought the certification path (in the second picture) would show the root CA, intermediate CA and finally the user cert. Is it because the client doesn’t have the Intermediate CA certificate? If so how can you get this from ISE and why doesn’t it push it automatically along with the root certificate?

image001.png

image002.png

Root CA is installed:


image003.png

ISE Auth is successful:

image004.png

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE as an Intermediate CA for BYOD

This is expected. ISE itself has the certificate chain in its trusted store so ISE can authenticate the endpoints with their TLS certificates. Normally, the clients only need to trust ISE server certificate(s) so no need to install the full certificate chain for the client on the endpoints.

View solution in original post

4 REPLIES 4
Cisco Employee

Re: ISE as an Intermediate CA for BYOD

This is expected. ISE itself has the certificate chain in its trusted store so ISE can authenticate the endpoints with their TLS certificates. Normally, the clients only need to trust ISE server certificate(s) so no need to install the full certificate chain for the client on the endpoints.

View solution in original post

Enthusiast

Re: ISE as an Intermediate CA for BYOD

HI, I think this might be true for a windows client. EAP-TLS runs like a charm on our wind clients, apple devices always complaining about the untrusted certificate chain. any suggestions how to solve this on apple devices?

Highlighted
Cisco Employee

Re: ISE as an Intermediate CA for BYOD

Apple devices always ask you to trust valid certificates when first connecting, make sure to use wilidcard in the san for your PSNs so that clients only need to accept RADIUS nodes 1x

See the following posts

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

https://communities.cisco.com/docs/DOC-71398

https://discussions.apple.com/thread/7381797?start=0&tstart=0

Beginner

Re: ISE as an Intermediate CA for BYOD

Thanks hslai. That makes sense and is what I thought was happening but doesn't confirm to me why windows certificate manager show's what it does. Is it because windows doesn't have the ISE intermediate certificate that certificate manager is unable to display the full certificate hierachy?