Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2233
Views
6
Helpful
21
Replies

Dot1x User Authentication with Certificates

Dkiptoo
Level 2
Level 2

‎09-02-2025 11:46 PM - last edited on ‎09-03-2025 02:04 AM by Cisco Employee

Hello, we have ISE as AAA server and is configured to authenticate network users using user certificates issued by our local CA server.  Successfully authenticated users, which are AD users are placed on Corps  VLAN otherwise guest vlan. I have an issue lately, the certificates for some of the users expired and now are on the guest vlan. The problem is I cannot renew the certificates directly from the client as they cannot reach the CA, due to being on the guest. I get the error that it cannot reach the server. How do I go about such an issue. How do I renew the certificates for other users. Thank you

21 Replies 21

MHM Cisco World
VIP
VIP
In response to Dkiptoo

‎09-05-2025 01:50 PM

Hi @Dkiptoo 

There are two steps if yoh want use ISE for renew expired cert

1- allow expired in allow protocol <<- this done 

2- add authz policy with condition 

 

Attribute: Certificate Status

Condition: Equals

Value: Expired

Step 2 you missing it that so the policy use guest authz policy 

Add it and everything will work.

MHM

 

 

Dkiptoo
Level 2
Level 2
In response to MHM Cisco World

‎09-10-2025 11:46 PM

I have tried the first option but still no cert renewal requests or new renewals are reaching the CA. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dkiptoo

‎09-10-2025 11:51 PM

This not option it steps

You need two steps 

0 Helpful

Rob Ingram
VIP
VIP
In response to Dkiptoo

‎09-11-2025 12:05 AM

@Dkiptoo wrote:

I have tried the first option but still no cert renewal requests or new renewals are reaching the CA. 

@Dkiptoo if you modified the ISE to allow expired certificates, are the clients with expired certificates authenticated now and can they access the network?

If they have network access then the latest problem doesn't seem like an ISE problem. Has the client received the GPO with the correct settings to renew the certificates? Refresh the GPO on the client computers if needs be. Have you tried manually renewing certificates to see if that works, if that works that would imply a problem with the GPO settings.

 

0 Helpful

Dkiptoo
Level 2
Level 2
In response to Rob Ingram

‎09-11-2025 01:14 AM

I did modify ISE to allow expired certs to be renewed. The clients are authenticated but because the don't have valid certs, they are place the guest VLAN. I have counter checked the GPO policy from the AD and seems everything is fine. Currently the clients on the guest can't access the CA, as it is on the Corp network, different VLan therefore trying to request Cert Manually fails. 

0 Helpful

Rob Ingram
VIP
VIP
In response to Dkiptoo

‎09-11-2025 01:21 AM

@Dkiptoo It seems like you haven't allowed the devices with expired certificates to be authenticated and placed in the correct VLAN, hence why they still cannot communicate with the CA to authenticate.

What have you actually configured? Provide screenshots of your rules and the ISE logs of these devices.

The alternative option is to MAB those devices, provide temporary access to renew the certificates, once they have the certificate they would authenticate using certificates again.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dkiptoo

‎09-04-2025 11:58 AM

Share live log detail 

Include steps 

Include authc 

Include authz 

Let us check 

MHM

0 Helpful
Customers Also Viewed These Support Documents