Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
1
Replies

ISE Basic Certificate Checking

cbradt
Level 1
Level 1

‎08-11-2017 11:30 AM - edited ‎03-11-2019 12:56 AM

In reference to setting up a Certificate Authentication Profile ...

I see that "basic certificate checking" does not require an identity source.  I'm wanting to ensure I know what "basic certificate checking" means.  My assumption is the all that is checked is:

1) Was the cert issued by a Trusted CA? 

2) Has the cert expired? Has a valid/current date

3) Has the cert been revoked?

My take on this is if I have machine certs issued by some Root CA (not my AD) then I could use the basic checking to verify that the cert was issued by the appropriate CA (I've installed the Trusted Root Cert on my ISE) and was therefore a trusted device for EAP-FAST/EAP-TLS machine authentication purposes.

Is this correct?   Thanks

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎08-13-2017 04:45 AM

I believe this is correct, ISE just does checks the certificates for the steps you have mentioned. I think the only other  "basic check" it does is the client certificate KU and EKU settings, basically to check if the certificate presented is meant for that purpose or not. "Client authentication" is a required setting for EKU (if explicitly set) for the client certificate presented to ISE.

0 Helpful
Customers Also Viewed These Support Documents