09-19-2012 06:00 AM - edited 03-10-2019 07:33 PM
I have a unique situation where I am trying to authenticate via certificates in an enviroment without a CA. I have a wildcard cert from a third party that I can place on the devices. I added the thrid party root CA in the local store on ISE but I am still using the self-signed cert from ISE in my local certs for EAP authentication. Is there a way to use a wildcard cert for device authentication or is there a way to export a cert from ISE that can be loaded on the end device fro authentication. Any help would be greatly appreciated.
09-19-2012 06:02 AM
On a side note when I use a wildcard cert I get an error that no private key is found when trying to authentictae to the ISE appliance.
05-29-2013 04:05 PM
Please review the below link which might be helpful on your concerns:
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html
05-30-2013 05:27 AM
Thanks Vikas.
I have since found the answer I was looking for. I talked with some of the guys in the BU and basically wildcard certs aren't supported on the end devices which make sense since it kind of eliminates the security aspect of certificate authentication.
The guides you sent still require the use of an actual CA or SCEP server in order to get the certificates to the clients.
In short I came up with a different solution that didn't use certificates.
05-30-2013 05:51 PM
Coming in a little late on this but my question was going to be: "What exactly is the end goal" For instance, were you looking to use EAP-TLS and if so then without a CA then you would probably need to look to something else. For instance, PEAP. However, I see that you have resolved your own issue which is great! Do you care to share with the rest of us what your solution was?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: