Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2980
Views
1
Helpful
4
Replies

Do we support "Certificate Policies" with ISE?

rmueller@cisco.com
Cisco Employee
Cisco Employee

‎02-08-2016 08:21 AM

Hi all,

partner is asking if we support "Certificate Policies" with ISE according to RFC 5280:

4.2.1.4. Certificate Policies

  The certificate policies extension contains a sequence of one or more

  policy information terms, each of which consists of an object

  identifier (OID) and optional qualifiers. Optional qualifiers, which

  MAY be present, are not expected to change the definition of the

  policy. A certificate policy OID MUST NOT appear more than once in a

  certificate policies extension.

  In an end entity certificate, these policy information terms indicate

  the policy under which the certificate has been issued and the

  purposes for which the certificate may be used. In a CA certificate,

  these policy information terms limit the set of policies for

  certification paths that include this certificate. When a CA does

  not wish to limit the set of policies for certification paths that

  include this certificate, it MAY assert the special policy anyPolicy,

  with a value of { 2 5 29 32 0 }.

Thanks in advance

Roland

0 Helpful
4 Replies 4

Aaron Woland
Cisco Employee
Cisco Employee

‎02-09-2016 03:22 PM

Roland,

I assume you are referring to ISE as a certificate authority (someone issuing & signing certificates for use on endpoints); and not asking about ISE authenticating a certificate who is being sent as a credential for network access.

If yes, you are referring to the ISE as a CA use-case, THEN:

We do support them, but they are hard-coded into our pre-built certificate templates.  You cannot pick/choose your own certificate policies.  The endpoint certificate will have a policy already there, for an OID specifying an end-entity certificate for client authentication use-case.

The newer pxGrid certificate template coming in ISE 2.1 will have both Client and Server use-cases specified.

ELSEIF you are referring to ISE as a certificate authenticator and validator for network access, THEN

Yes, we support validating the certificate & it is configured with the " Validate Certificate Extensions " option when importing the trusted signer certificate into the Trusted Certificates store in ISE.

-Aaron

rmueller@cisco.com
Cisco Employee
Cisco Employee
In response to Aaron Woland

‎02-10-2016 07:15 AM

Hi Aaron,

thanks for the quick response. It's the later one (ISE as cert authenticator). I will ask the partner SE if this is what they want, but I believe they want this to have within the auth policy (e. g. if extension is xyz then permit access, else deny access; for example they want to code a certificate in a way that it only can be allowed for certain SSIDs).

Roland

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to rmueller@cisco.com

‎02-17-2016 12:25 PM

Last I heard about "Certificate Policies" were how it affecting certificates issued by CA -- Creating Certificate Policies and Certificate Practice Statements

ISE supports EKU name and OID as conditions for authorization.

Screen Shot 2016-02-17 at 12.21.57 PM.png

0 Helpful

parasup
Level 5
Level 5
In response to Aaron Woland

‎10-26-2021 10:32 AM

i think he is referring to when you generate a CSR on ISE, there is a field called Certificate Policies, a free form text field, we would have expected you to comment on how to format that field.

Prakash

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents