11-06-2018 08:02 AM
Our customer is not yet using certificates for ISE authentication and are in the processing of deploying CA and PKI services to enable certificate enrollment. They want to audit the population of devices that still don’t have a certificate before enabling certificate based authentication. They want to see if they can use an ISE posture condition in audit mode to collect statistics on this.
Is it possible to create a posture condition in ISE to query the cert store on Windows to identify if a cert has been issued by a specific, user defined CA?
11-06-2018 08:57 AM
Hi,
Create a registry conditions with the following path for machine certificate
HKEY_LOCAL_MACHINE/Software/Microsoft/SystemCertificate with required key as mentioned in this link https://docs.microsoft.com/en-us/windows/desktop/seccrypto/system-store-locations
-Aravind
11-07-2018 08:23 PM
Thanks for the thought Aravind - I checked the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\<MY | Root | Trust | CA> and each certificate appears as a Blob. They're also different from machine to machine. I'm not sure this will work as I don't see how to get the CA from a Blob and into ISE.
11-07-2018 09:44 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: