cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
517
Views
0
Helpful
7
Replies

How to apply the pxGrid certificate from 3rd party CA

tonyang
Level 1
Level 1

We're using Microsoft CA as internal CA for EAP-TLS authentication for endpoints. We'd like to use CSR to apply the certificates for pxGrid service from Microsoft CA servers. May I ask if any prerequisites for it ?

 

7 Replies 7

@tonyang for the pxGrid certificate, the Extended Key Usage extension in the certificate must contain the Client Authentication and Server Authentication fields the certificate can be issued from Microsoft CA.

Example - https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/

https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_pxgrid.html

 

 

Hello Rob, thanks for your information.

If the certificates contain the client Authentication and Server Authentication fields, is the certificate for ISE pxGrid server ? Not for ISE pxGrid client ?

 

@tonyang use the same certficate template (with the EKU Client Authentication and Server Authentication fields) to sign the CSR for the pxGrid server certificates and the pxGrid client certificates. You must not use the same certificate for Cisco ISE pxGrid server and pxGrid clients.

You can use the ISE CA to sign the pxGrid certificate.

Please take a look at the end of this post of mine to see how the pxGrid template should be configured in Microsoft CA. pxGrid certificate requires both client and server authentication because ISE could be acting as a client if it needs to talk to other entities or it could be acting as a responder to other entities requests.

Integrate FMC with ISE using pxGrid | Blue Network Security

Hello Aref, thanks for your information. It's helpful to me.

You're welcome.