09-06-2019 01:04 AM
Dear community,
I have a deployment that have constraint in using MS CA for user certificate deployment (it is old version and doesn't support SHA 2, and they are not willing to upgrade it). I like to know if anyone have experience in using the built in ISE CA achieving automated user certificate enrolment for EAP-TLS authentication.
What I like to achieve - to have automated user certificate enrolment (during day 0) for all AD users, without the need for user to go to certificate provisioning portal. All the users doesn't have admin rights.
I know MS AD with MS CA can achieve it, but since MS CA is not an option, thus I'm looking for alternative.
Regards,
Ken
Solved! Go to Solution.
09-06-2019 02:35 PM
09-09-2019 01:24 PM
Ken,
This goes to the fundamentals of EAP-TLS, when you are validating a machine or user, the supplicant presents client certificate that the server verifies it and viceversa. A machine certificate is unique per endpoint and has to work with the environment.
There are PKI standards that govern this and CA adheres to this standards and provides an easy way to manage certificates.
The enrollment process can be manual or via GPO's or web enrollment. Manual is tedious if you have a lot of endpoints.
Anyway you need a CA to provide you a certificate that is the bottomline. Hope it is clear.
Here is a configuration guide for EAP-TLS using wireless.
Thanks
Krishnan
09-06-2019 07:05 AM
First question or concern would be whether or not you are authenticating the machine at all? If you are, then why do you need to authenticate the user? The only time I recommend authenticating the user is if you need to differentiate access based on who the user is. 99% of customers don't need this. Just authenticate the machine and let Active Directory do its job of controlling access to resources based on who the user is.
To issue certificates from ISE, you would have to use the BYOD flow and client provisioning portal. In my experience, it never works cleanly for every user. But if these are all corporate devices that are consistent in hardware/software, then you may be able to get it to work for everyone.
I would just recommend working with leadership, security, and the folks who own the MS CA server to come up with a better solution where you can issue the certificates using MS CA and GPO's before making things overly complex and causing users to have a bad experience with ISE.
09-06-2019 07:09 PM
09-06-2019 02:35 PM
09-06-2019 07:12 PM
Hi Mike,
Thanks a lot for your informative response. The note regarding ISE CA not meant to be used as enterprise CA is useful. As for now I am looking for interim solution (to achieve user authentication, preferably with cert) before their MS CA is ready.
Regards,
Ken
09-09-2019 01:24 PM
Ken,
This goes to the fundamentals of EAP-TLS, when you are validating a machine or user, the supplicant presents client certificate that the server verifies it and viceversa. A machine certificate is unique per endpoint and has to work with the environment.
There are PKI standards that govern this and CA adheres to this standards and provides an easy way to manage certificates.
The enrollment process can be manual or via GPO's or web enrollment. Manual is tedious if you have a lot of endpoints.
Anyway you need a CA to provide you a certificate that is the bottomline. Hope it is clear.
Here is a configuration guide for EAP-TLS using wireless.
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide