05-24-2022 03:59 PM
dear professional,
i have a cisco 9800 wlc, cisco ise, and ad server. Now my requirement is to setup wireless client to authenticate using active directory account via cisco ise. Now i got below question:
1. I beleive i need to setup 802.1x authentication in cisco wlc?
2. can we setup tacacs between cisco wlc & cisco ise? Or only radius is possible
3. I beleive we need to install ssl certificate in cisco ise and wireless clients (windows, mac, mobile devices like iphone android)? Not required any ssl certificate in active directory.
4. I got wildcard pfx ssl certificate (which was built for another purpose), can i install it to ise and wireless clients? Or i need to convert to another format? Can you share which format and how to import certificate to cisco ise
if someone could help, would be grateful.
thank you
05-24-2022 07:12 PM
question 1 - That is correct, you need to configure ISE as a RADIUS server on WLC. Configure the SSID and set its authentication to the configured RADIUS servers.
question 2 - TACACS is not meant of dot1x, you need to use RADIUS
question 3 - A certificate on endpoints is not mandatory unless the goal is to use certificate based authentication.
question 4 - Use openssl extract the certificate, private key and certificate chain (root, intermediate certs). Import the root and intermediate certs into the System trusted certificate store on ISE first.
Then Upload the wild card cert along with the private key to ISE, select the services for which you want the certificate to be used. Ensure the wildcard covers the FQDN name of ISE. Beware of a service restart if you choose the certificate for "admin" usage.
Here's an excellent guide to certificates on ISE - https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897
05-31-2022 09:40 AM
Note that the native Windows supplicant for 802.1x does not work well with wildcard certificates (when the wildcard is in the CN or Common Name field).
For that reason it is recommended to use an actual assigned certificate for ISE. You can use multi-SAN (Subject Alternative Name) to cover the multiple PSNs in the case of a larger ISE deployment.
05-31-2022 10:02 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide