Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2602
Views
1
Helpful
4
Replies

ISE as an Intermediate CA for BYOD

Go to solution
STEPHEN POLZIN
Level 1
Level 1

‎08-08-2016 08:23 PM

Anyone out there experienced with using ISE as an Intermediate CA for BYOD?

When using ISE as an intermediate CA we seem to get odd results in the windows client certificate issued by the BYOD process. We have observed the same in ISE 1.3 and 2.0 patch 3. Although the cert works, certificate information seems to be missing info we normally see as you can see in the screen captures below.

I would have thought the certification path (in the second picture) would show the root CA, intermediate CA and finally the user cert. Is it because the client doesn’t have the Intermediate CA certificate? If so how can you get this from ISE and why doesn’t it push it automatically along with the root certificate?

image001.png

image002.png

Root CA is installed:


image003.png

ISE Auth is successful:

image004.png

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-08-2016 11:14 PM

This is expected. ISE itself has the certificate chain in its trusted store so ISE can authenticate the endpoints with their TLS certificates. Normally, the clients only need to trust ISE server certificate(s) so no need to install the full certificate chain for the client on the endpoints.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-08-2016 11:14 PM

This is expected. ISE itself has the certificate chain in its trusted store so ISE can authenticate the endpoints with their TLS certificates. Normally, the clients only need to trust ISE server certificate(s) so no need to install the full certificate chain for the client on the endpoints.

0 Helpful

Go to solution
alex.dersch
Level 4
Level 4
In response to hslai

‎05-29-2017 03:34 PM

HI, I think this might be true for a windows client. EAP-TLS runs like a charm on our wind clients, apple devices always complaining about the untrusted certificate chain. any suggestions how to solve this on apple devices?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to alex.dersch

‎05-30-2017 07:00 AM

Apple devices always ask you to trust valid certificates when first connecting, make sure to use wilidcard in the san for your PSNs so that clients only need to accept RADIUS nodes 1x

See the following posts

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

https://communities.cisco.com/docs/DOC-71398

https://discussions.apple.com/thread/7381797?start=0&tstart=0

0 Helpful

Go to solution
STEPHEN POLZIN
Level 1
Level 1

‎08-09-2016 03:04 PM

Thanks hslai. That makes sense and is what I thought was happening but doesn't confirm to me why windows certificate manager show's what it does. Is it because windows doesn't have the ISE intermediate certificate that certificate manager is unable to display the full certificate hierachy?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents