Can ISE use a Windows certificate store as a posture condition?

rwehe · ‎11-06-2018

Our customer is not yet using certificates for ISE authentication and are in the processing of deploying CA and PKI services to enable certificate enrollment. They want to audit the population of devices that still don’t have a certificate before enabling certificate based authentication. They want to see if they can use an ISE posture condition in audit mode to collect statistics on this.

Is it possible to create a posture condition in ISE to query the cert store on Windows to identify if a cert has been issued by a specific, user defined CA?

Aravind Ravichandran · ‎11-06-2018

Hi,

Create a registry conditions with the following path for machine certificate

HKEY_LOCAL_MACHINE/Software/Microsoft/SystemCertificate with required key as mentioned in this link https://docs.microsoft.com/en-us/windows/desktop/seccrypto/system-store-locations

-Aravind

rwehe · ‎11-07-2018

Thanks for the thought Aravind - I checked the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\<MY | Root | Trust | CA> and each certificate appears as a Blob. They're also different from machine to machine. I'm not sure this will work as I don't see how to get the CA from a Blob and into ISE.

Surendra · ‎11-07-2018

Technically speaking, you can simply at the end of the day it is a hex dump and you will find bits and pieces of what you are looking for. For example, you can find the issuer name some where lurking in there. You can look for registry value contains say "4d 69 63 72 6f 73 6f 66 74 20 52 6f 6f 74 20 43 41" for "Microsoft Root CA" . It is not an acceptable solution as such but a very very dirty workaround and not a 100% accurate one.