Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
4
Helpful
4
Replies

ISE Certificates

CiscoIPMAN
Level 1
Level 1

‎05-19-2017 01:08 PM - edited ‎03-11-2019 12:43 AM

We are planning to deploy ISE for BYOD and I have a question about certificates. We have a very large campus network (at a Higher Ed University) so would it be required for every user to install a certificate when they try to connect wirelessly? There could be so many different devices and I do not want to have to troubleshoot students device if they can not install a cert. But my concern would be if they don't have the public cert then they will get invalid cert page when they get redirected to ISE.

Has anybody deployed ISE BYOD on a large scale? We will be using PEAP (MSCHAP v2) with the student userID and password for authentication.

Thanks

Labels:
0 Helpful
4 Replies 4

ammahend
VIP
VIP

‎05-19-2017 02:07 PM

In your case, clients do not necessarily need to have certificates, they just need to trust the public CA which you will use to sign CSR used for portal use, to not show certificate error, when redirected to ISE for BYOD portal.

Most browsers already support most well known public CAs. you can see the trusted root certs under advance setting of browser.

**rate helpful posts**

-hope this helps-

CiscoIPMAN
Level 1
Level 1
In response to ammahend

‎05-20-2017 10:44 AM

Ammahend,

Thanks for the reply. So I could use a wild card cert or another public cert like one used for a web server and import the that cert as the cert for ISE? Use Peap as the inner authentication method that users will use to authenticate?

0 Helpful

ammahend
VIP
VIP
In response to CiscoIPMAN

‎05-23-2017 07:50 PM

Yes, also ensure that you import the root cert into the trusted cert store and check it for client authentication.

This link will help you, there are also tone of videos available for ISE certificate management on youtube, look into one of those as well -  http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0111.html

**rate helpful posts**

-hope this helps-
0 Helpful

ajc
Level 7
Level 7
In response to CiscoIPMAN

‎05-24-2017 01:38 PM

Using wilcard certs will allow you to do the trick but I have seen that importing certs from another platforms sometimes does not work properly even if I used OPENSSL to change the format to the one required by ISE. Give a try and let us know. 

An important use of the wildcard cert is explained in the attached file. Please take a look on slides 23 to 30 of attached document.

Another suggestion in addition to the wildcard cert is the F5 LB with the ISE PSN's (or similar). We are in the process of implementing that and the Cisco Guide has some lost parts.

Our environment is similar to yours, 100K students and staff and we are using PEAP.

Preview file
15995 KB
0 Helpful
Customers Also Viewed These Support Documents