Hi

I had an idea about using ISE as an endpoint certificate tracking tool, to check for the following:

• What TLS version are my endpoints using? (e.g. can I disable TLS 1.0 etc)
• When are my endpoint certificates expiring (e.g. I have deployed certs on devices that have poor, or no management systems to keep track of client cert expiration)

It turns out, that SYSLOG might be the answer to these questions. By filtering the SYSLOGs sent by ISE, we can see all this, and then create reports and an action plan to remediate.

Below is a redacted view of an ISE SYSLOG example event after a successful EAP-TLS authentication - ISE decodes the client cert and puts all the necessary data in comma-delimited SYSLOG:

EapAuthentication=EAP-TLS,
EndPointMACAddress=00-00-00-00-0B-FF,
TLSCipher=ECDHE-RSA-AES256-GCM-SHA384, 
TLSVersion=TLSv1.2, 
TLSSupportedGroups=secp521r1, 
TLSSignatureAlgorithms=rsa_pss_rsae_sha512, 
Days to Expiry=189

 The ISE Logging config only requires the SYSLOG target(s) to be added to the "Passed Authentications" Category :

Furthermore, for wired 802.1X, the Session re-auth should be enabled to regularly re-auth endpoints that might be permanently connected (e.g. cameras, printers, etc.) - every 18 hours (65535 seconds) seems reasonable to me.

And finally, the hard work still has to be done to write a filter/rule in your SIEM (e.g. Splunk) to trigger a report to be sent to an admin when there are endpoints that have "Days to Expiry" <= 30 or whatever the requirement may be.