cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5296
Views
20
Helpful
16
Replies

ISE Cert for IOT devices

cxo-179682
Level 1
Level 1

Hi Experts,

 

Trying to deploy certificate from ISE to IOT devices for security purposes, but can anyone share which docs can i refer to ?

- create iot device cert from ISE (export to device)

- import ISE cert to the device

- authenticate based on the cert provided (authentication and authorization profiles)

 

I've been searching the docs, but been going in circles and couldnt find a complete doc.

 

TIA

1 Accepted Solution

Accepted Solutions

Hello @cxo-179682 

 

You can use ISE pxGrid as your CA to generate client certificates for your IOT devices. I believe you might need the Plus License installed to see the menu option.

 

The name 'pxGrid' is a bit misleading since in your case it has nothing to do with pxGrid- don't worry - you can generate certs for client devices and in the end it spits out a .zip file that contains all the bits you need. You can even create a cert using a .csr (from your IOT device or OpenSSL) or generate the cert from scratch.

The cert template is defined in ISE and it will populate the cert attributes in a certain way - but it should be good enough for most purposes. 

 

pxgrid.PNG

 

As a client cert you need the EKU (Enhanced Key Usage) to be "Client Certificate' - pxGrid will set the cert to Server and Client - nice!

arne.PNG

View solution in original post

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

For a device to present a certificate to ISE for network authentication it must have and be using an 802.1x supplicant. Do your IoT devices have that? (Most don't)

We are only enabling those that support 802.1x and there are a handful, where we can import the cert & enable dot1x. 

I'm exploring on how to create/generate the cert from ISE and export it to be imported to the said device to be authenticated. 

 

 

 

Hello @cxo-179682 

 

You can use ISE pxGrid as your CA to generate client certificates for your IOT devices. I believe you might need the Plus License installed to see the menu option.

 

The name 'pxGrid' is a bit misleading since in your case it has nothing to do with pxGrid- don't worry - you can generate certs for client devices and in the end it spits out a .zip file that contains all the bits you need. You can even create a cert using a .csr (from your IOT device or OpenSSL) or generate the cert from scratch.

The cert template is defined in ISE and it will populate the cert attributes in a certain way - but it should be good enough for most purposes. 

 

pxgrid.PNG

 

As a client cert you need the EKU (Enhanced Key Usage) to be "Client Certificate' - pxGrid will set the cert to Server and Client - nice!

arne.PNG

Thanks for your suggestion for PxGrid, but we do not have the Plus license, hence couldnt use it

Any other suggestion on how i can generate the cert from ISE (to be trusted from the iot device) ? 

You could get a 90 day eval of the Plus license (100 endpoints). I am quite certain that once you have created those certificates, they won’t disappear from the system after the 90 days.  You might just get a license expiration warning. 
100 Plus licenses should not be too expensive in the long run. 

Thanks again for your prompt assistance.

 

Ive managed to get the zip file with all the certs required and imported to the IOT (enabled dot1x).

Created Authentication profile based on the Certificate profile (with relevant Authorization profile to permit the device with specific VLAN)

But, its not hitting/matching the Authentication profile that i wanted for it to check/read the certificate details. 

 

Apology if this sounds 'stupid', but i couldnt find a proper document for this anywhere..as im getting in circles or im looking it at the wrong place. 

I would send some screen shots but I am not near a computer at the moment. The authentication Policy Set needs an allowed Protocols that allows eap-tls and the authentication itself references a certificate profile that specifies if there are parts of the cert that you want to look up (eg the Subject or SAN) etc. 

have a look at the lab minute series video. This is video 1

https://www.labminutes.com/sec0274_ise_22_wireless_dot1x_eap_tls_peap_1

Thanks again for your reply, and i did have a look at the video before.

 

Yes, I've done below on the ISE :

- Allowed PEAP & EAP-TLS protocol

- Authentication Profile matching the Certificate profile ive created matching SAN (created via pxGrid) 

 

As for the client/supplicant :

- enabled 802.1x using certificate (eap-tls)

- imported only machine cert created from pxGrid  (there are a lot of other file which i dont think is needed, i maybe wrong again)

 

But still not 'hitting' the authentication policy ive created

post some screen shots of the Policy Set - details of the Authentication, and Authorization please.

Do you use the NAS (NAD) for anything else in that ISE server? Have you added it to the ISE Devices List and is the Radius shared secret correct? Is the NAS/NAD configured correctly with the ISE IP address and shared secret? 

 

Is this wired or wireless?

This is an existing setup, hence all the relevant NAS-CIsco SW (shared secret) are already in place. Below are the snippets :

 

1- Certificate Template

2- Certificate Profile

3- Authentication Policy (apology, have to amend some of the information due to Prod setup)

 

During testing, the device does not hit/match the IOT-Cert authentication policy at all, hence it wont be matching the authorization i wanted it to match. 

Great screen shots - that helps a lot.

 

Since this is an IOT device, are you 100% sure that the supplicant is correctly configured? In other words, is it sending EAPOL frames towards the switch? You might want to run a tcpdump on the ISE PSN node to confirm that the RADIUS packets do indeed contain EAP payload.

Here is a handy command to test whether the attached client speaks EAPOL (perhaps hardcode the port to access vlan in order to bring the interface up before running this test)

 

Test device on access switch port to see whether it has a configured supplicant

 

9300# term monitor

9300# dot1x test eapol-capable interface te 1/0/46

Mar 27 23:40:29.175: %DOT1X-4-INFO_EAPOL_PING_RESPONSE: Switch 1 R0/0: sessmgrd: The interface Te1/0/46 has an 802.1x capable client with MAC 7872.5d3f.a55a

 

When you connect the IOT device, what is the end result? Do you see EAP processing on the switch? Do you see the Steps that ISE took to process the Auth request in the Details?

 

I am not 100% sure that having two identical Authentication Conditions (Wired 802.1X AND EAP-TLS) will allow you to process the second Rule (e.g. Laptop-Cert) in your case. If laptop or IOT comes along with wired 802.1X and EAP-TLS then Rule 1 is satisfied - and then the cert processing is done and AD lookup etc. - if that fails, then I don't think ISE will continue to Rule 2. I would make each Rule a bit more specific, by including another AND operand such as "CERTIFICATE Issuer = 'blah'" to tell ISE to use that Rule unambiguously.

 

Thanks again for some of the troubleshooting steps, i will proceed to to test the port to confirm the IOT dot1x capabilities (well, the vendor did mentioned he tested with others and it worked, and it's configured for dot1x with eap-tls, which ive checked)

 

Ive tried to find a way to 'consolidate' both certificate option for Laptop and IOT, but couldn't, hence i created a 2nd authentication profile. 

I'm sure this is being used in other organisation where different certificate will be use or need to check. (this is where i did mentioned that i couldn't find the appropriate documentation)

Let us know how you get on.

 

When dealing with multiple EAP-TLS client cert "types" from the same NAS, then you can distinguish them during Authentication using the method I proposed. I have done this in a number of projects. You have access to the CERTIFICATE attributes during authentication, and therefore you can point ISE in the right direction regarding WHICH certificate attribute you are interested in for authentication (certificate profile selection).

The Policy Set will not continue processing if you have matched a Rule, but then proceed to fail during Authentication (e.g. IOT client cert  comes along, and you perform auth using the Employee client profile ... Authentication should(will) fail - and then the Access-Reject is sent to the NAS - end of story). You don't get to "fail through" to the next rule.   There is an option in Authentication called "If Auth Fail 'Continue'" - but Continue in this case means, continue to Authorization (and bypass Authentication). 

I think i managed to get it worked after few tries, as im not sure is the IOT device or ISE configuration issue :

1- No separate certificate profile needed (if there's one in place already)

2- Create cert via pxgrid (as suggested by you)

3- Imported Root and Machine cert to the IOT device (enabled 802.1x)

4- Create an authorization profile matching the cert details and assign appropriate access

 

Tested few devices and it worked   but I've been advised to use ISE PKI certificate instead of pxGrid.