cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
2
Helpful
11
Replies

Deploy certificates to endpoints with ISE Internal CA

DannyDulin
Level 1
Level 1

Ultimately we want to use AuthC via certificates for our FTD RAVPN users.

We want to be able to use ISE's Internal CA to issue those certificates to endpoints.

I can't seem to find documentation how to issue the certificates.

I know how to setup a RAVPN Connection profile/Tunnel-group to use certificates only for AuthC, but I don't know how to issue the certificates that will be used for authentication.

Any help will be greatly appreciated.

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

Hi @DannyDulin 

You need the ISE Certificate Provisioning Portal. Explained in this nice link here.

it's a manual process - an admin can log into the portal and paste a CSR for multiple users. The end result is a certificate you can use on your client devices.  

Alternatively, you can set it up so that when an ordinary user logs into the Portal, they can provision their own certificates (but only for themselves).

View solution in original post

@DannyDulin , it would be best to have the same CA sign the FTD identity certificate and the client certs as the chain of trust would not be an issue. You might be able to use different CAs, but you would have to ensure that both the Firepower and ISE trust stores have both chains.

I haven't found a single reference for the entire use case, but I pieced it together using a couple of different references when setting it up in my lab.

Configure AnyConnect Remote Access VPN on FTD 

Configure VPN User Authentication via Client Certificate and AAA Server 

View solution in original post

11 Replies 11

Thank you for the link. However, I don't want to use Windows Server as the Root CA. I want to use ISE as the Root CA.

Is the ISE Internal CA capable of issuing client certificates?

 

Yes sure it can' @Arne Bier answer you with good link 

Goodluck friend 

Have  a nice  day 

MHM

Yes - by default the internal ISE CA has the following structure:

Root CA
  -> Node CA 1
      --> Sub CA 1
  -> Node CA 2
     --> Sub CA 2

There can be only one Root CA. It's created (self-signed, valid for 10 years) when you build your first ISE node (PAN).

The first PAN also gets a Node CA (signed by the Root).

Then the secondary PAN also gets a Node CA (signed by Root). Each Sub CA has its own Issuing CA (which ISE calls the Sub CA). 

Client certs are created by those Sub-CAs.

You can also run an OCSP responder on your ISE nodes that check revocation of your internally created certs

Arne Bier
VIP
VIP

Hi @DannyDulin 

You need the ISE Certificate Provisioning Portal. Explained in this nice link here.

it's a manual process - an admin can log into the portal and paste a CSR for multiple users. The end result is a certificate you can use on your client devices.  

Alternatively, you can set it up so that when an ordinary user logs into the Portal, they can provision their own certificates (but only for themselves).

THIS IS WHAT I HAVE BEEN LOOKING FOR ALL DAY LONG!!!

Thank you so much Arne! No wonder you're a VIP. I want to be like you when I grow up!!!

 

I only know what I know. But thanks 

Greg Gibbs
Cisco Employee
Cisco Employee

You have not found any documentation on this use case because it is not a supported one. The ISE Internal CA is only designed/supported for enrolling user certificates related to the BYOD use case (as well as some limited pxGrid use cases).

The cert-based VPN use case you are looking at would typically be facilitated using an Enterprise CA like Active Directory Certificate Services (AD CS).

Thanks Greg for that affirmation.

I only wanted to use the ISE Internal CA for RAVPN to conduct a proof of concept. We wanted demonstrate the concept of certificate based AuthC to leadership and get their buy in before putting forth the effort to setup a full blown Enterprise CA. However, I have not been able to get even the proof of concept to work. I keep getting a certicate validation error.

Question: Even if we setup an internal CA, do we have to sign the FTD identity cert with the same CA we sign the client certs?

Do you have a good link for Cert based AuthC with FTD?

@DannyDulin , it would be best to have the same CA sign the FTD identity certificate and the client certs as the chain of trust would not be an issue. You might be able to use different CAs, but you would have to ensure that both the Firepower and ISE trust stores have both chains.

I haven't found a single reference for the entire use case, but I pieced it together using a couple of different references when setting it up in my lab.

Configure AnyConnect Remote Access VPN on FTD 

Configure VPN User Authentication via Client Certificate and AAA Server 

Thank you Greg. This was extremely helpful.