ISE Certificate Authentication Without a CA

Nicholas Copeland · ‎09-19-2012

I have a unique situation where I am trying to authenticate via certificates in an enviroment without a CA. I have a wildcard cert from a third party that I can place on the devices. I added the thrid party root CA in the local store on ISE but I am still using the self-signed cert from ISE in my local certs for EAP authentication. Is there a way to use a wildcard cert for device authentication or is there a way to export a cert from ISE that can be loaded on the end device fro authentication. Any help would be greatly appreciated.

Nicholas Copeland · ‎09-19-2012

On a side note when I use a wildcard cert I get an error that no private key is found when trying to authentictae to the ISE appliance.

vikasyad · ‎05-29-2013

Please review the below link which might be helpful on your concerns:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html

Nicholas Copeland · ‎05-30-2013

Thanks Vikas.

I have since found the answer I was looking for. I talked with some of the guys in the BU and basically wildcard certs aren't supported on the end devices which make sense since it kind of eliminates the security aspect of certificate authentication.

The guides you sent still require the use of an actual CA or SCEP server in order to get the certificates to the clients.

In short I came up with a different solution that didn't use certificates.

nspasov · ‎05-30-2013

Coming in a little late on this but my question was going to be: "What exactly is the end goal" For instance, were you looking to use EAP-TLS and if so then without a CA then you would probably need to look to something else. For instance, PEAP. However, I see that you have resolved your own issue which is great! Do you care to share with the rest of us what your solution was?