cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
882
Views
10
Helpful
3
Replies

Endpoint Certificate Renewal

Joshuskarki
Level 1
Level 1

If your organization is a complete (LAN/WLAN/VPN) TLS authentication environment, then how are you renewing endpoint certificate when a user comes to network with his expired certificate? What is the industry standard or a proactive setup you have in your environment to address such problem? We are now in the process of EAP-TLS rollout for both LAN and WLAN globally. ISE 2.3. The endpoint certificate renewal is one of the challenges we are right now looking into and I wonder how you guys manage it. 

 

Thanks,

Josh

 

3 Replies 3

Depending on what method you use for enrollment and your CA server. For
example, in VPN you can use SCEP Proxy enrollment. Now in MS CA you can
auto enroll the certificates 30 days before expiry. For expired users they
will auto-renew on then next connect

Thanks for your reply Mohammed. We have certificate auto-renewal is setup for users who are on the network before their certificate validity expire. AD with GPO policy renews Windows cert automatically and JSS forces for Macs. The issue I am trying to fix is for those users who would come to network with their expired certificate, especially users for dot1x EAP-TLS authentication. How do we let those users connect to our PKI infrastructures, renew the cert from there and allow them to connect back to the corp network? 

 

Few options I am thinking are : 

1, SCEP proxy is a good option for VPN and WiFi - Thanks for that. 

2, A new VPN profile that allows users reaching to PKI infra - not a proactive solution 

3, On ISE, update the allowed protocol configuration with "Allow Authentication of expired certificates to allow certificate renewal in Authorization Policy" - This may do not work for Windows computer.  

4, a separate vlan/ssid which is equivalent to a separate VPN profile in number 2 above. 

 

- Josh 

Hi,

Option 3 will work for BYOD. It won't work for dot1x users. Its similar to
SCEP proxy.

When you can do that of dot1x failed, users can connect through MAB and get
a DACL to allow access to MS-CA on SCEP/NDES ports. This way they can
complete renewal automatically with CA server. Now you can push session
timeout with DACL which is 2 mins for example in order to reauthentiacte
after 2 mins. Assuming that enrollment is successful, they will connect
using dot1x on the next attempt which should be after 2mins.