ISE certificate requirements for EAP-TLS

Attila Horvath · ‎11-11-2015

Hi,

We would like to connect our corporate tablets and mobile devices to a restricted network - without implementing classic BYOD features like

self-provisioning but with certificate based only authentication (EAP-TLS).

(Our Helpdesk will handle the certificate install, wireless network set, etc.)

The WLC side is configured to handle the TLS, and now we try to generate certificates. To Ipad, to Android (Galaxy Tab 3 KITKAT), and to iphone.

Is there any special certificate requirements to implement this?

What should certificate EKU field contain?

kurmai · ‎11-12-2015

I think this doc may be useful:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116068-configure-product-00.html

It has some details on the EKU field and certificate template.

Other consideration: if you are planning to issue wildcard certificate to the clients, make sure the subject doesn't contain the wildcard or windows clients will have problem.

Jatin Katyal · ‎11-15-2015

HI Attila,

It seems your question is specifically for client / user certificate. Certificate Requirement with PEAP & EAP

If you're planning to use wild card certificate. Please ensure you follow this document to get the right certificates. Wild Card with ISE

The Enhanced Key Usage field identifies the intended purpose of the certificate and needs to contain Client Authentication. This field is mandatory when you use the Microsoft supplicant for PEAP and EAP-TLS.

If you request a certificate with the use of a CSR with Microsoft Certificate Services, you do not have the option to specify the Intended Purpose with the Standalone CA. Therefore, the EKU field is absent. With the Enterprise CA, you have the Intended Purpose drop-down. Some CAs do not create certificates with an EKU field. They are useless when you use the Microsoft EAP supplicant.

Regards,

Jatin

~Jatin