Showing results for 
Search instead for 
Did you mean: 

certificate usage for client authentication

Cisco Employee
Cisco Employee

Environment will have a publicly signed certificate installed on ISE as system certificate for EAP and portal use.  In addition ISE is authenticating client devices via EAP-TLS using certificates signed by private a CA on company network.  Need to make sure that only certificates signed by the internal CA are authenticated and not any certificates signed by the same public CA.  Is it only trusted certificates that have Usage: "trust for client authetication and syslog" that are used for EAP-TLS client authentication?  Need to make sure that the system certificate used for EAP and other trusted certificates are not used by ISE for client certificate authentication.


3 Replies 3

Cisco Employee
Cisco Employee

I have come across this kind of scenario before where we made use of a differentiating parameter (SAN) in the certificate template and referred the condition in authorization policies.

In your case if a client comes with a certificate signed by the public CA it should also match the condition for the parameter in the authorization profile. Since you own the internal CA you can come with a unique identifier and prevent clients presenting certificates signed by public CAs.

Thanks Utkarsh

I guess my question is are authorization policies necessary in this case?  Will the Usage: "trust for client authetication and syslog" setting on the trusted certificate limit EAP-TLS authentication to only certificates signed by that trusted root?

Cisco Employee
Cisco Employee

Yes, the trust option [ trust for client authentication and syslog ] is a pre-requisit for the root CA certificate used for EAP-TLS client authentications.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: