03-11-2018 11:37 PM - edited 02-21-2020 10:48 AM
If your organization is a complete (LAN/WLAN/VPN) TLS authentication environment, then how are you renewing endpoint certificate when a user comes to network with his expired certificate? What is the industry standard or a proactive setup you have in your environment to address such problem? We are now in the process of EAP-TLS rollout for both LAN and WLAN globally. ISE 2.3. The endpoint certificate renewal is one of the challenges we are right now looking into and I wonder how you guys manage it.
Thanks,
Josh
03-12-2018 12:20 AM
03-12-2018 10:20 AM
Thanks for your reply Mohammed. We have certificate auto-renewal is setup for users who are on the network before their certificate validity expire. AD with GPO policy renews Windows cert automatically and JSS forces for Macs. The issue I am trying to fix is for those users who would come to network with their expired certificate, especially users for dot1x EAP-TLS authentication. How do we let those users connect to our PKI infrastructures, renew the cert from there and allow them to connect back to the corp network?
Few options I am thinking are :
1, SCEP proxy is a good option for VPN and WiFi - Thanks for that.
2, A new VPN profile that allows users reaching to PKI infra - not a proactive solution
3, On ISE, update the allowed protocol configuration with "Allow Authentication of expired certificates to allow certificate renewal in Authorization Policy" - This may do not work for Windows computer.
4, a separate vlan/ssid which is equivalent to a separate VPN profile in number 2 above.
- Josh
03-12-2018 11:13 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide