cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
0
Helpful
1
Replies

ISE Basic Certificate Checking

cbradt
Level 1
Level 1

In reference to setting up a Certificate Authentication Profile ...

I see that "basic certificate checking" does not require an identity source.  I'm wanting to ensure I know what "basic certificate checking" means.  My assumption is the all that is checked is:

1) Was the cert issued by a Trusted CA? 

2) Has the cert expired? Has a valid/current date

3) Has the cert been revoked?

My take on this is if I have machine certs issued by some Root CA (not my AD) then I could use the basic checking to verify that the cert was issued by the appropriate CA (I've installed the Trusted Root Cert on my ISE) and was therefore a trusted device for EAP-FAST/EAP-TLS machine authentication purposes.

Is this correct?   Thanks

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

I believe this is correct, ISE just does checks the certificates for the steps you have mentioned. I think the only other  "basic check" it does is the client certificate KU and EKU settings, basically to check if the certificate presented is meant for that purpose or not. "Client authentication" is a required setting for EKU (if explicitly set) for the client certificate presented to ISE.