cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
4
Helpful
3
Replies

ISE: dealing with certificates that remain in endpoints

jolopes
Cisco Employee
Cisco Employee

Hi Team,

My customer authenticates their Corporate SSID though their CA certificates.

However, by some unknown reason, sometimes the endpoints (laptops) maintain those certificates, although they are no longer present in the AD.

This anomaly results in those endpoints failing authentication to the Wireless Network.

They found a workaround: altering in ISE, the option “Match Client Certificate Against Certificate In Identity Store”, from “Always perform binary comparison” to “Only to resolve identity ambiguity”.

They would like to know the impact of that workaround, namely in terms of access security.


Any other comments are welcomed!


Thank you in Advance.


Best Regards,


Filipe

1 Accepted Solution

Accepted Solutions

ognyan.totev
Level 5
Level 5

It is ok with this option in mine deployment i did  same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .

View solution in original post

3 Replies 3

ognyan.totev
Level 5
Level 5

It is ok with this option in mine deployment i did  same ,if you choose first option you must change the option in to continue if user not found but there is no user if it is machine certificate and if option is reject it will fail .

Thank you so much, Ognyan

Customer would also like to know of possible security issues on using such a workaround.

If you or anyone would like to comment, I'd really appreciate it.

Thank you.

Filipe

ognyan.totev
Level 5
Level 5

No, no security violations,if machine have a valid certificate authentication and authorization will be ok ,i test it without certificate cant access network i test it and with expired certificate no access too ,as i told above this work in mine deployment about 1 year .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: