cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

186
Views
0
Helpful
3
Replies
Cisco Employee

Using ISE Internal CA as a Corporate PKI

Hello,

I have a customer that is currently looking at redesigning their current PKI. They wish to use the Internal CA feature as an intermediary of a external root for the provisioning point for all of their corporate assets including MS devices. This would not be for a BYOD function but the corporate authentication.

This is not something I have seen in the past or advised outside of a BYOD/Pxgrid use- Typically and MS CA or 3rd Party function. So I have some questions if I may:

  1. Is this a supported design for the Internal CA?
  2. Are there any scale issues or limits?
  3. If this is supported, what are the major consideration or limitations.
    1. I assume a lack of auto enrollment and user interaction is required in general?.

Endpoint count is in the realm of 100K

Thanks in advance!

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Using ISE Internal CA as a Corporate PKI

Is this a supported design for the Internal CA?

  • [A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

  • [A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari

3 REPLIES 3
Cisco Employee

Re: Using ISE Internal CA as a Corporate PKI

I don’t quite understand what they want to do?

Are you trying to do certificate provisioning thru ISE acting as the SCEP server? But outside of the BYOD flow?

If that’s the case it’s not something tested therefore supported and would be completely up to customer to investigate

VIP Engager

Re: Using ISE Internal CA as a Corporate PKI

I don't see why they would want to go through the pain of doing this.  ISE would not support autoenrollment for MS devices.  They would all have to through the client provisioning portal to get a cert. The ISE internal CA should be used for one off provisioning in my opinions not as an enterprise issuing server.

Highlighted
Cisco Employee

Re: Using ISE Internal CA as a Corporate PKI

Is this a supported design for the Internal CA?

  • [A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

  • [A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari