10-24-2024 12:25 AM
We're using Microsoft CA as internal CA for EAP-TLS authentication for endpoints. We'd like to use CSR to apply the certificates for pxGrid service from Microsoft CA servers. May I ask if any prerequisites for it ?
10-24-2024 12:37 AM
check this may help you :
10-24-2024 12:48 AM
@tonyang for the pxGrid certificate, the Extended Key Usage extension in the certificate must contain the Client Authentication and Server Authentication fields the certificate can be issued from Microsoft CA.
Example - https://integratingit.wordpress.com/2018/08/25/cisco-ise-pxgrid-integration-with-firepower/
10-24-2024 01:25 AM
Hello Rob, thanks for your information.
If the certificates contain the client Authentication and Server Authentication fields, is the certificate for ISE pxGrid server ? Not for ISE pxGrid client ?
10-24-2024 01:35 AM
@tonyang use the same certficate template (with the EKU Client Authentication and Server Authentication fields) to sign the CSR for the pxGrid server certificates and the pxGrid client certificates. You must not use the same certificate for Cisco ISE pxGrid server and pxGrid clients.
You can use the ISE CA to sign the pxGrid certificate.
10-24-2024 02:17 AM
Please take a look at the end of this post of mine to see how the pxGrid template should be configured in Microsoft CA. pxGrid certificate requires both client and server authentication because ISE could be acting as a client if it needs to talk to other entities or it could be acting as a responder to other entities requests.
10-24-2024 08:40 PM
Hello Aref, thanks for your information. It's helpful to me.
10-25-2024 01:49 AM
You're welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide