cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

216
Views
4
Helpful
3
Replies
Highlighted
Cisco Employee

ISE: dealing with certificates that remain in endpoints

Hi Team,

My customer authenticates their Corporate SSID though their CA certificates.

However, by some unknown reason, sometimes the endpoints (laptops) maintain those certificates, although they are no longer present in the AD.

This anomaly results in those endpoints failing authentication to the Wireless Network.

They found a workaround: altering in ISE, the option “Match Client Certificate Against Certificate In Identity Store”, from “Always perform binary comparison” to “Only to resolve identity ambiguity”.

They would like to know the impact of that workaround, namely in terms of access security.


Any other comments are welcomed!


Thank you in Advance.


Best Regards,


Filipe

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Contributor

Re: ISE: dealing with certificates that remain in endpoints

It is ok with this option in mine deployment i did  same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .

3 REPLIES 3
Contributor

Re: ISE: dealing with certificates that remain in endpoints

It is ok with this option in mine deployment i did  same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .

Cisco Employee

Re: ISE: dealing with certificates that remain in endpoints

Thank you so much, Ognyan

Customer would also like to know of possible security issues on using such a workaround.

If you or anyone would like to comment, I'd really appreciate it.

Thank you.

Filipe

Contributor

Re: ISE: dealing with certificates that remain in endpoints

No, no security violations,if machine have a valid certificate authentication and authorization will be ok ,i test it without certificate cant access network i test it and with expired certificate no access too ,as i told above this work in mine deployment about 1 year .