cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

219
Views
1
Helpful
3
Replies
Highlighted
Beginner

With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

I'm setting up my ISE (ver 2.3.0.298) to do EAP-TLS authentication with various wireless devices. The devices are not capable of using SCEP to obtain their certificates and keys, so I am going to have to setup a laptop to request access through the ISE and have the ISE communicate to my external SCEP proxy (Microsoft Server 2012 R2) to request client certificates......

My first question is this - do all the client certificates (we may have up to 100,000 of these devices) need to be loaded into the Trusted Certificate store on the ISE (I believe they would need to for EAP-TLS to function)??

If they do need to be in the Trusted Certificate store for client certificate validation can I use a BYOD device to get certificates through the ISE BYOD portal communicating to my Microsoft MSCEP service and will the retrieved client certificates be automatically placed into the ISE Trusted Certificate store??

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

No the certificates of each client do not need to be in the trusted certificate store

You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication

Is there a reason you’re not using the internal certificate authority on ise itself?

We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide

For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed

View solution in original post

3 REPLIES 3
Cisco Employee

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

No the certificates of each client do not need to be in the trusted certificate store

You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication

Is there a reason you’re not using the internal certificate authority on ise itself?

We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide

For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed

View solution in original post

Beginner

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

Thanks Jason!

I answered my first question earlier today about client cert in Trusted store…..

In response to your question – I would use the internal ISE certificate authority if I could. Unfortunately our devices (using a TI chipset) do not support 4096-bit keys, and the internal ISE root cert used has a 4096-bit key.

I may not need to use a BYOD ‘spoof’ though since the client certificates do not need to be in the Trusted Cert store……our customer requirement currently is to use an external trusted root CA, which is why I am using a 2012 R2 server……I have options for authenticating ‘smarter’ devices and users that way as well.

I will look more at the provisioning portal as well as BYOD for other clients….thanks.

Karl Peters

858-201-8840

Cisco Employee

Re: With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

Thanks! It sounds like you’re allset