Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1661
Views
5
Helpful
2
Replies

How does BYOD certificate renewal work in practice?

Go to solution
Arne Bier
VIP
VIP

‎08-23-2018 04:03 AM

I haven't had the pleasure of deploying an ISE BYOD solution - but I am sure there are a few of you who have.  I was recently asked how an ISE BYOD solution handles client certificate expiration.  

Surely this would require some kind of an agent on the client?  Or does ISE do a cert health check during EAP-TLS authentication ?  I have no clue.

- is this customisable to allow renewal way in advance?

And what does the user experience look like (is the user aware that this is happening and is it interactive?)

Is this supported on Windows, OSX, Android, iOS ?

 

much appreciate any feedback

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎08-23-2018 07:25 AM

Arne,

 

I avoid BYOD like the plague.  I think I have been forced to do it on 1-2 to of my installs only. 

 

Check out this post:

 

https://community.cisco.com/t5/identity-services-engine-ise/ise-byod-handling-of-expired-or-expiring-certs/td-p/3564168

 

Not sure if that is still accurate, but it sounds right.

View solution in original post

Go to solution
howon
Cisco Employee
Cisco Employee
In response to paul

‎08-23-2018 09:29 AM

The link Paul provided is still relevant. Only addition is the ability to permit expired certificates with newer ISE versions. It can be configured under 'Allowed Protocols" for any EAP types that requires endpoint certificate. Now, certain OS (I believe Windows) doesn't use certificates that expired so you would want to force renewal prior to expiry though.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
paul
Level 10
Level 10

‎08-23-2018 07:25 AM

Arne,

 

I avoid BYOD like the plague.  I think I have been forced to do it on 1-2 to of my installs only. 

 

Check out this post:

 

https://community.cisco.com/t5/identity-services-engine-ise/ise-byod-handling-of-expired-or-expiring-certs/td-p/3564168

 

Not sure if that is still accurate, but it sounds right.

Go to solution
howon
Cisco Employee
Cisco Employee
In response to paul

‎08-23-2018 09:29 AM

The link Paul provided is still relevant. Only addition is the ability to permit expired certificates with newer ISE versions. It can be configured under 'Allowed Protocols" for any EAP types that requires endpoint certificate. Now, certain OS (I believe Windows) doesn't use certificates that expired so you would want to force renewal prior to expiry though.

0 Helpful
Customers Also Viewed These Support Documents