Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
3
Replies

Cisco ISE as certificate manager.

Go to solution
vstoyanov
Level 1
Level 1

‎11-06-2019 12:52 AM

Hello, can i use Cisco ISE as certificate manager in my network?

I need to install self-signed certificates from multiple not ise servers on user devices when they connecting to network. 

Can i do it with ISE? If it possible can somebody share link how to do it ?

Thanks



0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-06-2019 02:26 AM

You want to use ISE as an MDM or Group Policy type of system?  That's not possible as far as I know.

 

Not sure why you want to do what you're describing. Installing self-signed certificates on end devices? What are these devices and what do they use the certificates for?

 

By using the BYOD onboarding tools in ISE you can push certs and profiles to devices, but those certs are created either by ISE itself (Internal CA) or via a SCEP Proxy function to another CA. The SCEP enrollment is performed on the end devices during BYOD and this means that you cannot use ISE to unconditionally push certificates onto a device.

ISE does have a Certificate Self Service Portal option to allow you to create certs using ISE's Internal CA, and then the user can download the cert (and private key) and install that on a target device. But that would be a manual download and install.  As far as I know, you can email a certificate to an iPhone and the phone will prompt you to install it. Not sure if that also works for a private key - I kind of doubt it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎11-06-2019 02:26 AM

You want to use ISE as an MDM or Group Policy type of system?  That's not possible as far as I know.

 

Not sure why you want to do what you're describing. Installing self-signed certificates on end devices? What are these devices and what do they use the certificates for?

 

By using the BYOD onboarding tools in ISE you can push certs and profiles to devices, but those certs are created either by ISE itself (Internal CA) or via a SCEP Proxy function to another CA. The SCEP enrollment is performed on the end devices during BYOD and this means that you cannot use ISE to unconditionally push certificates onto a device.

ISE does have a Certificate Self Service Portal option to allow you to create certs using ISE's Internal CA, and then the user can download the cert (and private key) and install that on a target device. But that would be a manual download and install.  As far as I know, you can email a certificate to an iPhone and the phone will prompt you to install it. Not sure if that also works for a private key - I kind of doubt it.

0 Helpful

Go to solution
vstoyanov
Level 1
Level 1
In response to Arne Bier

‎11-06-2019 02:35 AM

Yeah, something around mdm. But due to policies some devices can not be enrolled into MDM.  

I want do remove message from web browsers that my internal sites have untrusted certificates. I m trying to create self signed certificate like i am CA and set this devices to trust this certificate automatically. I thought it can be automated by ise. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to vstoyanov

‎11-06-2019 03:34 AM

These are separate things

ISE can be a CA to deploy certificates for endpoints to authenticate to the network with using dot1x and EAP-TLS. Ise trust these certs as it is the CA for this communication. The client also trusts ise as it should have a well known root for this process

ISE needs a well known certificate on the PSN so that when a client communicates with any services it doesn’t display an unknown certificate warning of non-trust. This is mainly for byod guest

ISE cannot push out a certificate chain to a client so that it trusts ISE. This is a role of a group policy server . You can have your own PKI through Microsoft internally for example. The certificate chain would be shared with all your domain machines so that when your clients try to access the admin sponsor or my devices portal they trust ise as it has a cert internally from corporate pki and trusts the internal chain

You would not use this for clients trying to access guest or byod portals as they are likely not domain machines in your control. This would be against best practices and hard to manage as well

Ise certificates guide
https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents