ISE Certs - Shifting from External SCEP to Internal CA

scottyd · ‎03-02-2020

We have just upgraded to 2.6 and on boarding is not working.

Deployment is two nodes only.

Original setup is an external MS PKI SCEP setup and would like to move away from this.

The server certs used for all roles are issued from our MS PKI infrastructure. We would like to keep this part and get the organisations root cert installed (no MDM).

However the current certs do not have any SAN entries, which is probably why it no longer on boards.

GOALS:

Renew the server certs with SANs

Move to using the Internal CA of ISE

Hopefully not have to re-onboard existing devices

Once we have the certs with SANs is all we have to do is change Native Supplicant Profile/Wireless Profile to use the Certificate Template which uses SCEP RA Profile of "ISE Internal CA"?

In our test ISE we tired and use a Comodo certificate on the BYOD portal, to prevent one more untrusted server error for the end users, but found that this certificate was used to create the device certificates and its root cert was installed on the device. Is this normal behavior, I thought that the cert assigned to EAP would have been used.

Attached is the Auth Policy

Mohammed al Baqari · ‎03-02-2020

It depends on what you configured in your it BYOD enrollment policy. If you
have a profile to install the comodo certificate then you will have
installed.

EAP certs are used for EAP communication only between BYOD and NAD (which
in this case will failover to MAB unless you have dot1x on your BYOD
devices). the BYOD installed certificate usually used to be matched by
policy for successful device authentication/authorization.

**** please remember to rate useful posts

scottyd · ‎03-03-2020

Thanks for the reply, but I am not sure what exactly you mean by "BYOD enrollment profile". So I have attached what I think is relevent. We are still getting the Sectigo root installed when onboarding like this, even though it is only referenced with the BYOD Portal cert group.

Where am I going wrong?

Regards

Scott

pavagupt · ‎03-03-2020

Hello scootyd,
When you wanted to move away from MS PKI SCEP setup to ISE internal CA, you will have to re-onboard existing devices unfortunately.

“BYOD-Portal” tagged certificate (which is issued from sectigo) is meant for portal not for provisioning a certificate. In “TDHB NSP Profile”, you were using “EAP_Authentication_certificate_Template” and “EAP_Authentication_certificate_Template” is used for provisioning certificates to on-boarding devices using Internal CA.
Once on-boarded, you should see below
1. Wireless profile installed on the device pointing to SSID called “TDHB-BYOD-2” and
2. user certificate installed signed by ISE internal CA with OU, O, L, ST and Country pointed in “EAP_Authentication_certificate_Template”

Hope that clarifies your confusion.

scottyd · ‎03-04-2020

Thanks for the reply. I think I have figured out that part. As I understand, ISE installs the root cert from the portal, to enable it to have a trust to push out the profile. So the only way I can get our PKI root installed is by having a cert signed from our PKI associated to the portal.

Next challenge is that the current server cert, which is signed from our PKI does not have any entries in the SAN. This is probably the reason that newer IOS and Android are not able to onboard. Should I be able to renew the server certs to add the FQDN of both ISE nodes to the SAN and expect currently onboarded devices to still authenticate? At least until we switch over to using the internal CA.