Solved: Cisco ISE Certificates

alliasneo1 · ‎02-07-2024

Hi,

I'm new to Cisco ISE and I'm trying to get my head around how it all works.

Can I ask, how do you know which certificate in ISE a computer will authenticate against?

I'm setting up ISE to use EAP-TLS using a trusted root certificate and I have the certificate chain uploaded to ISE but I'm just wondering how you actually say to ISE, I want you to use this certificate that is coming from the computer/end user machine?

thanks

Rob Ingram · ‎02-07-2024

@alliasneo1 its the "EAP Authentication" certificate within ISE that is used for client (user/machine) authentication. When you specify the usage you can use the same certificate for different roles or unique certificates.

FYI, here is the ISE certificates guide - https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

View solution in original post

Aref Alsouqi · ‎02-07-2024

Not from here, the one you shared is to tell ISE to present that cert when it negotiates EAP authentication with the endpoints. However, if you look at the certificates trusted store in ISE, and you select the root or intermediate CA certificate which would be the issuer of the endpoints certificates, you would see that there is an option selected which is called "Trust for client authentication and Syslog". That is where you tell ISE to trust the endpoints certificates that would be issued by that root or intermediate CA, and to use that cert for EAP authentication. Please note that the cert you define on ISE to be used for EAP authentication (an example in the screenshot you shared) doesn't necessarily need to be issued by the same issuer as the endpoints certificates. However, it is a common and best practice to have that cert alongside the endpoints certs issued by the same PKI.

View solution in original post

Rob Ingram · ‎02-07-2024

@alliasneo1 the certificate you shared in use for "EAP Authentication" (and others) is what ISE presents to the clients when they connect, the clients need to trust this CA.

You will have to determine what user/machine certificate the clients have and what CA issued their certificates.

View solution in original post

Rob Ingram · ‎02-07-2024

@alliasneo1 its the "EAP Authentication" certificate within ISE that is used for client (user/machine) authentication. When you specify the usage you can use the same certificate for different roles or unique certificates.

FYI, here is the ISE certificates guide - https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

alliasneo1 · ‎02-07-2024

Hi Rob,

Thanks for the reply. So because I have EAP Authentication ticked under the usage for this one it uses that one?

Aref Alsouqi · ‎02-07-2024

Not from here, the one you shared is to tell ISE to present that cert when it negotiates EAP authentication with the endpoints. However, if you look at the certificates trusted store in ISE, and you select the root or intermediate CA certificate which would be the issuer of the endpoints certificates, you would see that there is an option selected which is called "Trust for client authentication and Syslog". That is where you tell ISE to trust the endpoints certificates that would be issued by that root or intermediate CA, and to use that cert for EAP authentication. Please note that the cert you define on ISE to be used for EAP authentication (an example in the screenshot you shared) doesn't necessarily need to be issued by the same issuer as the endpoints certificates. However, it is a common and best practice to have that cert alongside the endpoints certs issued by the same PKI.

alliasneo1 · ‎02-07-2024

I have gone into the Trusted Certificates Store and I can see the Root Cert and that is indeed ticked for 'Trust for Client Authentication and Syslog' so this is the one that the clients are using to authenticate against?

A little confused though as I thought the one I shared above which negotiates EAP authentication with the end points is what the clients used? Are you saying there is one vertificate for EAP authentication and then another using the root cerificate?

Rob Ingram · ‎02-07-2024

@alliasneo1 the certificate you shared in use for "EAP Authentication" (and others) is what ISE presents to the clients when they connect, the clients need to trust this CA.

You will have to determine what user/machine certificate the clients have and what CA issued their certificates.

Aref Alsouqi · ‎02-07-2024

The one you shared is the one that ISE will present to the clients, the clients need to trust that cert, they trust it by having the issuer or the root CA certificate imported into them. That is one part, the second part is that ISE also needs to trust the certificates that will be presented by the clients. ISE does that by looking at the issuer or the root CA certificate of the clients certificates that has been imported into its trusted certificates container, that certificate must have the "Trust for client authentication" option is ticked so ISE can use it to trust the clients when they do EAP authentication.

For instance, say you have two PKIs in your environment, one issued the certificates for the clients, and another issued the identity certificate for ISE. In this case, ISE needs to have the root CA certificate imported into its trusted certificate store and have "Trust for client authentication" ticked to trust the certificates that will be presented by the clients when they try to establish the secure channel during the EAP authentication.

However, also the clients need to trust the certificate that ISE will be presenting, which is the one you chose to be associated to EAP usage in ISE as the one your shared in the screenshot. In the end, ISE uses that certificate to present its identity, and the clients use their certificates to present their identity.