Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
2
Helpful
11
Replies

Deploy certificates to endpoints with ISE Internal CA

Go to solution
DannyDulin
Level 1
Level 1

‎01-31-2024 01:43 PM

Ultimately we want to use AuthC via certificates for our FTD RAVPN users.

We want to be able to use ISE's Internal CA to issue those certificates to endpoints.

I can't seem to find documentation how to issue the certificates.

I know how to setup a RAVPN Connection profile/Tunnel-group to use certificates only for AuthC, but I don't know how to issue the certificates that will be used for authentication.

Any help will be greatly appreciated.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-31-2024 02:03 PM

Hi @DannyDulin 

You need the ISE Certificate Provisioning Portal. Explained in this nice link here.

it's a manual process - an admin can log into the portal and paste a CSR for multiple users. The end result is a certificate you can use on your client devices.  

Alternatively, you can set it up so that when an ordinary user logs into the Portal, they can provision their own certificates (but only for themselves).

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to DannyDulin

‎02-19-2024 02:58 PM

@DannyDulin , it would be best to have the same CA sign the FTD identity certificate and the client certs as the chain of trust would not be an issue. You might be able to use different CAs, but you would have to ensure that both the Firepower and ISE trust stores have both chains.

I haven't found a single reference for the entire use case, but I pieced it together using a couple of different references when setting it up in my lab.

Configure AnyConnect Remote Access VPN on FTD 

Configure VPN User Authentication via Client Certificate and AAA Server 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
DannyDulin
Level 1
Level 1
In response to MHM Cisco World

‎01-31-2024 02:03 PM

Thank you for the link. However, I don't want to use Windows Server as the Root CA. I want to use ISE as the Root CA.

Is the ISE Internal CA capable of issuing client certificates?

 

Go to solution
MHM Cisco World
VIP
VIP
In response to DannyDulin

‎01-31-2024 02:14 PM

Yes sure it can' @Arne Bier answer you with good link 

Goodluck friend 

Have  a nice  day 

MHM

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to DannyDulin

‎01-31-2024 02:16 PM

Yes - by default the internal ISE CA has the following structure:

Root CA
  -> Node CA 1
      --> Sub CA 1
  -> Node CA 2
     --> Sub CA 2

There can be only one Root CA. It's created (self-signed, valid for 10 years) when you build your first ISE node (PAN).

The first PAN also gets a Node CA (signed by the Root).

Then the secondary PAN also gets a Node CA (signed by Root). Each Sub CA has its own Issuing CA (which ISE calls the Sub CA). 

Client certs are created by those Sub-CAs.

You can also run an OCSP responder on your ISE nodes that check revocation of your internally created certs

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎01-31-2024 02:03 PM

Hi @DannyDulin 

You need the ISE Certificate Provisioning Portal. Explained in this nice link here.

it's a manual process - an admin can log into the portal and paste a CSR for multiple users. The end result is a certificate you can use on your client devices.  

Alternatively, you can set it up so that when an ordinary user logs into the Portal, they can provision their own certificates (but only for themselves).

Go to solution
DannyDulin
Level 1
Level 1
In response to Arne Bier

‎01-31-2024 02:08 PM

THIS IS WHAT I HAVE BEEN LOOKING FOR ALL DAY LONG!!!

Thank you so much Arne! No wonder you're a VIP. I want to be like you when I grow up!!!

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to DannyDulin

‎01-31-2024 02:17 PM

I only know what I know. But thanks 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-01-2024 02:28 PM

You have not found any documentation on this use case because it is not a supported one. The ISE Internal CA is only designed/supported for enrolling user certificates related to the BYOD use case (as well as some limited pxGrid use cases).

The cert-based VPN use case you are looking at would typically be facilitated using an Enterprise CA like Active Directory Certificate Services (AD CS).

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1
In response to Greg Gibbs

‎02-19-2024 05:20 AM

Thanks Greg for that affirmation.

I only wanted to use the ISE Internal CA for RAVPN to conduct a proof of concept. We wanted demonstrate the concept of certificate based AuthC to leadership and get their buy in before putting forth the effort to setup a full blown Enterprise CA. However, I have not been able to get even the proof of concept to work. I keep getting a certicate validation error.

Question: Even if we setup an internal CA, do we have to sign the FTD identity cert with the same CA we sign the client certs?

Do you have a good link for Cert based AuthC with FTD?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to DannyDulin

‎02-19-2024 02:58 PM

@DannyDulin , it would be best to have the same CA sign the FTD identity certificate and the client certs as the chain of trust would not be an issue. You might be able to use different CAs, but you would have to ensure that both the Firepower and ISE trust stores have both chains.

I haven't found a single reference for the entire use case, but I pieced it together using a couple of different references when setting it up in my lab.

Configure AnyConnect Remote Access VPN on FTD 

Configure VPN User Authentication via Client Certificate and AAA Server 

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1
In response to Greg Gibbs

‎02-21-2024 06:32 AM

Thank you Greg. This was extremely helpful.

0 Helpful
Customers Also Viewed These Support Documents