cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1512
Views
0
Helpful
13
Replies

auto remediation (certs) with APEX licence and anyconnect agent

vark00001
Level 4
Level 4

Hi All,

I have been thrown a question prior to ISE deployment in our organization. Soon we will have dot1x on every port of all user and things facing switches and authentication will be via ISE infrastructure.

Now among other things corporate desktops and laptops will be authenticated using PKI framework based machine certificates , wherein ISE will forward the query to corporate CA server for verification .

Now the requirement is , for the corporate machine which has , lets say , missing or expired or corrupted certificates , by default they wont be authenticated and perhaps provided a internet only VLAN, but since those belong to actual corporate users we like to auto-remidiate the situation without having to remove the dot1x and installing certificates or may be even sending someone to put in certificates manually or taking them to staging areas.

Can apex licence in conjugation with any connect client help there ?  As i saw there was remediation scenario documentation for things like patches , anti virus etc , but nothing specfic to auto remediation of certificates .

Is that possible ? if yes, how ?

Varun

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password


For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.


Hosuk

View solution in original post

13 Replies 13

howon
Cisco Employee
Cisco Employee

Few things to consider for expired certificate:

- In general corporate PKI (Especially if using MS CA), you can configure the CA server to issue certificates when the expiry date is near. This can be configured from MS CA console and is recommended. As long as the users are connecting the PC often enough before expiry, the machine should always have valid certificate

- Now, if you still want to address expired certificate consider following options:

1. If you want to allow expired certificates to authenticate then you can modify the 'Allowed protocols' for EAP-TLS to allow expired certificates. However, instead of providing full access, you can limit access to web portal where the user is instructed to take action to renew certificate.

2. It is generally not recommended to allow expired certificates to be authenticated due to security reasons. Better option is to use 'CERTIFICATE:DAYSTOEXPIRY' authorization condition to trigger user action when the certificate is near expiry.

3. You can simply deny access for expired certificate and redirect user to login via web portal using username and password


For above options, you don't need any Apex license as you are only leveraging basic RADIUS authentication.


Hosuk

Thanks Hosuk,

The suggestions here do answer questions for expired certificate , but what can be a good suggestion for machines with no certificates. Imagine we have ordered 10 new machines and those get the image and other software's from a local SCCM server .

Today this is not a problem , since there is no dot1x on ports , so a new  machine does a DHCP , get their SCCM server IP , get  image and along with that a certificate is issued by scripts.

If in future after we establish ISE infrastructure with dot1x on all ports and we are trying to set up these 10 machines , they will not have anything to supply for EAPoL. What will we do in those case, some options are :-

-> remove dot1x temprorily , let them image and get certificates and then apply back DOT1X ( Very manual and prone to ports being left non-dot1x )

--> Stage the machines at designated location with no dot1x and then connect to LAN ( This will add logistics cost )

--> May be authenticate via MAB and then let it get imaged with access to SCCM's only and then do a COA for full access.

What to other companies do to handle such situations ?

Varun

Would recommend last 2 options. Likely others from partners will chime in like  berbee arne.bier

Thanks Jason !!

would really appreciate real life experiences with this scenario.how are new machines handled generally.

certainly we are not the only organization with the dilemma.i am sure lot of companies order machines in their office and then

use SCCM for imaging. If the ports are dot1xed , then it will be like a chicken and egg problem.

vark00001
Level 4
Level 4

Hi Jason ,

Did you manage to find any feedback on this ?

The people I copied were partners that might have shared their feedback. That’s all we have.

Hi Jason ,

I actually found interesting line from Aaron woland in his famous  book and its version 2 at page 271 , at least for expired certs , there seems to be an inbuilt feature

cert.JPG

I am still trying to brainstorm what to do with brand new machines.

Varun

Not all client OS's would present an expired certificate for EAP-TLS. For example, Windows clients do not.

Ok ,

The case with new machines will be that they will not hand out any certificates even though the profiling will figure out based on DHCP , or other profiler's that at least the hardware is of corporate type . like HP model xx-yy.

So i am thinking of policy that say "match hardware type -corporate" and if they dont have certificates , give them access to only AD and SCCM servers and let them get a certificate and then do a COA.

Any thaught on if that can work ?

Varun

Sure, if the AD is also serving as DNS and DHCP, as well as the CA services.

Nops , DNS and DHCP are based on completely different product - infoblocks . Though AD has the CA  services running.

Varun

Then, DNS and DHCP need allowed, as well. Or, at least DNS, if the endpoints are using static IP.

vark00001
Level 4
Level 4

Hello HSLAI ,

Any comments if this idea can work ?

Varun