- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 03:45 AM - edited 05-24-2019 03:46 AM
Hi,
I have a customer who doesn’t have on-prem user directory and CA. They are very much interested in ISE. However, the challenge is to have dot1x authentication.
Can we use certificate based authentication for dot1x and configure ISE to act as a CA server and issue certificates to endpoints? I know that ISE issues the certs for BYOD only. But I think we can use certificate provisioning portal to manually download and install the certs to endpoints. So in this case, when the certificates are issued by ISE and dot1x is triggered, how can ISE validate the endpoint’s certificate?
P.S. Cucstomer doesn’t want to create local user database in ISE.
Thanks,
Rakesh Kumar
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 10:06 AM
This will require plus licensing minimum 100 to cover the use of the certificate portal. Unless of course you’re profiling devices as well
Very basic steps here
Step 1 setup CA
step 2 setup authorization rules
If EAP tls then Permit access
If mab then redirect to portal saying you need to be on boarded by an admin?
Step 3 use certificate provisioning portal (see admin guide) to generate certificates
Step 4 install on client and configure supplicant

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 04:51 AM
How would you validate whose authenticating? One user would be initiating the every download since you aren’t able to authenticate the user using the portal?
What are they using for an identity source? Perhaps a proxy could be setup?
Seems like a lot of manual labor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 05:01 AM
Hi Jason,
I have been posting a lot of questions these days and all are about the same customer. They have Jumpcloud, which is directory as a service in cloud. I checked with some folks and found that Jumpcloud is not supported/validated. Apart from that, they have G-Suite and JAMF for MAC users.
So if we have admin downloading all the certificates for all the endpoints, the distribution can be done using any other medium. Let's assume that is not a problem. Consider endpoints are having certificates then how ISE would validate them without having AD/LDAP/Local database?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 05:19 AM
As long as the internal ISE Chain is in your trusted store in ISE and you confirm they can be used for authentication then there should not be any problems there. ISE will actually maintain record of issued certificates and you can tweak the internal CA settings. The PSNs act as an OCSP responder for the internal ISE CA that will be used to verify. Also, if interested I am pretty sure you can use scep with the internal ISE CA.
HTH!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 06:04 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 05:22 AM
What about some sort of authentication proxy?
I would recommend trying out the certificate provisioning portal to see what’s going on so you understand. But pretty sure that it would work by generating generic certs per endpoint.
You really should think about
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 09:47 AM
Jason, Mike,
What you guys are saying that makes sense. So how do we configure this? What's the recommended configuration in ISE to validate endpoint's certificates issued by ISE?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 10:06 AM
This will require plus licensing minimum 100 to cover the use of the certificate portal. Unless of course you’re profiling devices as well
Very basic steps here
Step 1 setup CA
step 2 setup authorization rules
If EAP tls then Permit access
If mab then redirect to portal saying you need to be on boarded by an admin?
Step 3 use certificate provisioning portal (see admin guide) to generate certificates
Step 4 install on client and configure supplicant
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 10:31 AM - edited 05-24-2019 10:54 AM
So if I understood correctly then step 2 is doing certificate validation and authorizing users?
If they don't have certs then cert provisioning will be done by step 3 and 4? But how we can have different authorization policies for different set of users?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 10:45 AM
Authentication policy conditions:
RadiusFlowType EQUALS wired8021x
NetworkAccess:EAPAuthentication EQUALS EAP-TLS
Authorization policy conditions:
CERTIFICATE:Subject Alt Name CONTAINS <your identifier>
NetworkAccess:AuthenticationMethod EQUALS x509_PKI
DEVICE Type EQUALS <your device type group/s>
I suggest playing in ISE with the conditions and/or reviewing guides. HTH!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 11:25 AM
Thanks Jason and Mike, that was helpful. Will try with different set of conditions.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 11:31 AM
Per those steps You will need to look at the certificate provisioning portal in the admin guide to generate certs

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 11:32 AM
Our compatible integration points are listed in the ise comparability matrix
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 11:43 AM
Yes Jason, you are right. We won't be able to authenticate users if we do not have a user directory (AD/Local). Using certificates also, ISE will be just able to validate the certs, not users. However, if customer agrees to this then we can have some sort of control on whether someone is having valid credentials. And having some certificate attributes in authorization conditions, ISE can apply different authorization policies to different set of users.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2019 12:01 PM
