Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
1
Helpful
3
Replies

With EAP-TLS authentication does the client certificate need to be in Trusted Cert store?

Go to solution
kpeters011
Level 1
Level 1

‎11-02-2017 10:13 AM

I'm setting up my ISE (ver 2.3.0.298) to do EAP-TLS authentication with various wireless devices. The devices are not capable of using SCEP to obtain their certificates and keys, so I am going to have to setup a laptop to request access through the ISE and have the ISE communicate to my external SCEP proxy (Microsoft Server 2012 R2) to request client certificates......

My first question is this - do all the client certificates (we may have up to 100,000 of these devices) need to be loaded into the Trusted Certificate store on the ISE (I believe they would need to for EAP-TLS to function)??

If they do need to be in the Trusted Certificate store for client certificate validation can I use a BYOD device to get certificates through the ISE BYOD portal communicating to my Microsoft MSCEP service and will the retrieved client certificates be automatically placed into the ISE Trusted Certificate store??

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-02-2017 10:45 AM

No the certificates of each client do not need to be in the trusted certificate store

You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication

Is there a reason you’re not using the internal certificate authority on ise itself?

We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide

For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-02-2017 10:45 AM

No the certificates of each client do not need to be in the trusted certificate store

You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication

Is there a reason you’re not using the internal certificate authority on ise itself?

We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide

For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed

0 Helpful

Go to solution
kpeters011
Level 1
Level 1
In response to Jason Kunst

‎11-02-2017 11:11 AM

Thanks Jason!

I answered my first question earlier today about client cert in Trusted store…..

In response to your question – I would use the internal ISE certificate authority if I could. Unfortunately our devices (using a TI chipset) do not support 4096-bit keys, and the internal ISE root cert used has a 4096-bit key.

I may not need to use a BYOD ‘spoof’ though since the client certificates do not need to be in the Trusted Cert store……our customer requirement currently is to use an external trusted root CA, which is why I am using a 2012 R2 server……I have options for authenticating ‘smarter’ devices and users that way as well.

I will look more at the provisioning portal as well as BYOD for other clients….thanks.

Karl Peters

858-201-8840

Preview file
2 KB
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to kpeters011

‎11-02-2017 11:24 AM

Thanks! It sounds like you’re allset

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents