Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
2
Helpful
4
Replies

Can ISE 3.2 be configured as Cert Auth?

Go to solution
oscardenizjensen
Level 1
Level 1

‎10-25-2024 03:26 AM

Hej
I have a lab environment, and currently don't have a CA in the lab

I was wondering whether I could configure ISE itself as a CA to issue client certs for lab testing purposes. Do I need an external CA regardless?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2024 03:36 AM

@oscardenizjensen ISE does have a built-in CA, generally it is only used for BYOD scenarios to distribute client certificates and signing pxGrid certificates. So you can use the ISE CA to distribute a certificate to a client.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-640661554

In a normal ISE deployment, organisations would use an Enterprise CA (such as Microsoft CA) to distribute and manage certificates.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎10-25-2024 03:48 AM

@oscardenizjensen so use the ISE CA to generate the certificate and import that to the client and as long as ISE and the client mutually trust their certificates it should work.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

 

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-25-2024 03:36 AM

@oscardenizjensen ISE does have a built-in CA, generally it is only used for BYOD scenarios to distribute client certificates and signing pxGrid certificates. So you can use the ISE CA to distribute a certificate to a client.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867#toc-hId-640661554

In a normal ISE deployment, organisations would use an Enterprise CA (such as Microsoft CA) to distribute and manage certificates.

Go to solution
oscardenizjensen
Level 1
Level 1
In response to Rob Ingram

‎10-25-2024 03:43 AM

I wanted it mostly for anyconnect testing on windows machines in lab with a Cert&AAA login

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎10-25-2024 03:48 AM

@oscardenizjensen so use the ISE CA to generate the certificate and import that to the client and as long as ISE and the client mutually trust their certificates it should work.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html

 

Go to solution
Arne Bier
VIP
VIP
In response to oscardenizjensen

‎10-27-2024 04:17 PM

As an easy alternative to make some certs, take a look at the excellent XCA tool - there are very good guided steps on creating a CA, and then makig client certs - it's open source and well maintained. GUI versions for all desktop OS's.

0 Helpful
Customers Also Viewed These Support Documents