Solved: ISE Certs

GRANT3779 · ‎03-30-2017

Hi CSC,

I am trying to get my head around the workings of Certificates within ISE as I wasn't the one who set the cert side of things up.

We have our own internal PKI with machine and user certificates pushed out globally.

I see the following within ISE which have been setup already.

System Certs
Trusted Certs

Under System Certs I have e.g "Cert 1" which has various SAN entries -

DNS Name: ise.company.com
DNS Name: authentication.company.com
DNS Name: wifi.company.com
DNS Name: ise-01.company.corp
DNS Name: ise-02.company.corp

Usage - Admin, EAP Authentication

Under Trusted Certs, there are various -

Our Root CA
Machine Cert
User Cert

These are both configured for the following usage -

Trust for authentication within ISE

Trust for client authentication and Syslog

Trust for authentication of Cisco Services

Now my query is - What are each of these certificates used for and when?

When using wired 802.1x for example for Corporate PCs/Users and I want to use EAP-TLS (machines and users already have certs) - Does ISE check the client presented certs against the "Trusted Certs"?

When would the system cert be used that has all the SAN fields? This one also says it has EAP Auth usage.

Any easy to understand info welcome :-) Really just want to know what certs would be used when using machine/user auth if using EAP-TLS

Thanks

Francesco Molino · ‎04-01-2017

Hi

I'll try to answer your question in a simple way.

Your cert1 is your ISE certificate used in the certification profile to authenticate (validate) certificates from your users and devices for EAP-TLS authentication. As per your input it has the admin feature that means it's used when you're accessing your ISE through https to not have the standard message"not trusted" website.

The different SAN address used when accessing ISE through https for admin, guest, sponsor or other portals using the fqdn and not IP. If ip isn't part of the certificate value, you should have the message not trusted website when accessing ISE by using ip instead of name.

The trusted certificate are used to validate all presented certificates (root and subordinate certificates). You'll have all public certification authority and you should have your internal root ca and subordinate ca.

Hope this is clear enough.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎04-01-2017

Hi

I'll try to answer your question in a simple way.

Your cert1 is your ISE certificate used in the certification profile to authenticate (validate) certificates from your users and devices for EAP-TLS authentication. As per your input it has the admin feature that means it's used when you're accessing your ISE through https to not have the standard message"not trusted" website.

The different SAN address used when accessing ISE through https for admin, guest, sponsor or other portals using the fqdn and not IP. If ip isn't part of the certificate value, you should have the message not trusted website when accessing ISE by using ip instead of name.

The trusted certificate are used to validate all presented certificates (root and subordinate certificates). You'll have all public certification authority and you should have your internal root ca and subordinate ca.

Hope this is clear enough.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

GRANT3779 · ‎04-05-2017

Thanks Francesco,

Managed to get EAP-TLS working successfully.