Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1205
Views
0
Helpful
2
Replies

ISE 1.3 supported Client Certs

Go to solution
gtilburg
Cisco Employee
Cisco Employee

‎03-02-2016 05:26 AM

Hi,

Our customer is planning to renew their ISE and client certificates to SHA256 instead of SHA1

ISE 1.3 documentation implies that SHA256 is supported for server certificates, however I am not able to find any requirements/limitations for the clients that would do certificate authentication.

What are the limitations for client certificates to be supported for EAP-TLS on ISE 1.3 (and 2.0)?

- keysize?

- Hash?

Regards

Gert

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-03-2016 11:27 AM

For EAP auth you require Client Authentication in key usage. You can also check cert parameters in our BYOD certs for example.  We support up to 4k key sizes signed using RSA.  ECC certs not sopported until 2.1.  we support SHA-2/256 but not 512.  SHA512 not officially tested, but test said it should work.

There are compatibility concerns on the client side, as well, for key sizes and SHA-2

See RSA Key Sizes: 2048 or 4096 bits? | DanielPocock.com and SHA-256 Compatibility

Simply put: How does certificate-based authentication work? | Network World

Opened defect CSCuy60213 to address this missing in the guide

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gtilburg
Cisco Employee
Cisco Employee

‎03-02-2016 05:45 AM

hi Jason,

The certificate guide talks about the server side certificate, not the client certificate.

I am looking for requirements on the client certs.

Regards

gert

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-03-2016 11:27 AM

For EAP auth you require Client Authentication in key usage. You can also check cert parameters in our BYOD certs for example.  We support up to 4k key sizes signed using RSA.  ECC certs not sopported until 2.1.  we support SHA-2/256 but not 512.  SHA512 not officially tested, but test said it should work.

There are compatibility concerns on the client side, as well, for key sizes and SHA-2

See RSA Key Sizes: 2048 or 4096 bits? | DanielPocock.com and SHA-256 Compatibility

Simply put: How does certificate-based authentication work? | Network World

Opened defect CSCuy60213 to address this missing in the guide

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents