Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
615
Views
5
Helpful
2
Replies

ISE Certificate Authority Network access requirement

Go to solution
tlouderm
Cisco Employee
Cisco Employee

‎07-23-2019 03:31 PM

When performing Wireless EAP-TLS using machine certs on ISE, if you are not requiring CRL check does the ISE server, WLAN Controller or wireless client need network communication to the Certificate Authority? The CA is an internal CA and not accessible from the ISE server or the wireless client environment.

 

-Tim

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-23-2019 07:44 PM

Hi,

The connectivity to CA is required only to enroll the certificates. Once
enrollment is completed, access to CA won't be needed (except if CRL or
OCSP points to the CA server) because the client will download the entire
certificate chain on enrollment and will perform local validation of
certificate and chain.

If CRL or OCSP is pointing to CA and you disabled revocation validation,
then access to CA won't be required till the next certificate renewal.

Better option is to use SCEP proxy. In this case you don't need to have
access between clients and CA as your proxy server (which can be ISE or
ASA) can perform certificate enrollment on behalf of the client and you
maintain isolation.


***** Remember to rate useful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-23-2019 06:33 PM

The CA certificates are imported to the trusted certificates store in ISE for this purpose so ISE does not check anything externally for EAP-TLS auth unless CRL or OCSP configured.

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎07-23-2019 07:44 PM

Hi,

The connectivity to CA is required only to enroll the certificates. Once
enrollment is completed, access to CA won't be needed (except if CRL or
OCSP points to the CA server) because the client will download the entire
certificate chain on enrollment and will perform local validation of
certificate and chain.

If CRL or OCSP is pointing to CA and you disabled revocation validation,
then access to CA won't be required till the next certificate renewal.

Better option is to use SCEP proxy. In this case you don't need to have
access between clients and CA as your proxy server (which can be ISE or
ASA) can perform certificate enrollment on behalf of the client and you
maintain isolation.


***** Remember to rate useful posts.
0 Helpful
Customers Also Viewed These Support Documents