Authenticating a device with certificates using ISE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2021 02:12 AM - edited 05-03-2021 03:45 AM
I want to authenticate a device which is not on the domain (not connected to AD), using certificate. Is it possible to do certificate based authentication using the ISE default certificate? by generating CSR. etc.
The device doesn't allow username/password authentication, can I use the certificates only? Like when you configure SSH with pub-key.
- Labels:
-
AAA
-
Identity Services Engine (ISE)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-03-2021 06:14 AM
Few items for consideration: Is this possibly something for another customer? If so, any chance you could enroll them with your internal PKI & use that cert to onboard the non-domain clients to your network? Who will manage the configuration of the supplicant (you/external domain)? Also, what type of supplicant will be in use? You will need to consider how to do certificate matching if the client will have multiple identity certs from different domains. If the clients have an identity cert and you trust the chain, have you considered simply adding the external chain into your ISE trust store to support onboarding via their own PKI certs?
