Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5813
Views
5
Helpful
3
Replies

ISE: How to deal with expired certificate when running 802.1x EAP-TLS?

Go to solution
REJR77
Level 1
Level 1

‎03-04-2021 03:28 AM

Hello,

 

Is there a "Best Practice"  when dealing with expired clients certificate with EAP-TLS  machine certificate?

 

Even if GPO shoud renew machine certificate before they get expired we can imagine scenarios where people may not be able to connect because there certificate is expired.

 

I've read with this post https://community.cisco.com/t5/network-access-control/ise-clients-expired-certificate/td-p/3399082 we can "allow" expired cetificate and then assign the user to some sort of a remediation zone where they will be able to renew their certificate. (Microsoft CA)

 

So the user will have limited access to the network and won't understand why he can not access usual resources. Is there a way to advertise the user that the authentication failed because its certificate is expired and that he will have limited access (until the IT team will renew its cert)

 

Just kind of good user experience

Thanks for your feedback or good ideas

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎03-06-2021 01:33 PM

There isn’t enough education and emphasis on good certificate hygiene. We’re all taught that cert based auth is the best and safest method. But handling cert renewal is often overlooked. In a corporate environment you’re probably using Microsoft Group Policy and Auto enrol to keep client certs valid. Beyond that, you might be lucky if your devices are MDM managed and can auto renew. But for the rest, perhaps someone has written a database to track all the deployed certs and will remind someone to renew them 6 months in advance. 
This might not help your cause but I think it’s irresponsible to implement a cert based solution where valid devices are not operating with a valid certificate. If certs have expired then they are doing what they’re designed to do. Block access. 

View solution in original post

0 Helpful

Go to solution
REJR77
Level 1
Level 1
In response to Arne Bier

‎03-07-2021 11:51 PM

Hello Arne,

I agree with you. The design around certificates enrollment / certificate renewal etc.. has to be done by the system team but in the end the end user does not now anything about all this stuff and I would like to know if with ISE we can inform the end user when someting goes wrong with its laptop so that he can ask for the help desk.

I would assume that 95% of the use cases with 802.1x willl work but it is always the last 5% (exceptions) for which we have to find nice way to handle

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-04-2021 06:24 AM

Is there a "Best Practice"  when dealing with expired clients certificate with EAP-TLS  machine certificate?

-IMO this depends on your requirements.  From previous experiences most typically setup a parking lot with restricted access.  This may require setting up an additional network for this intended purpose, and/or a fall back auth mechanism such as mab. 

 

So the user will have limited access to the network and won't understand why he can not access usual resources. Is there a way to advertise the user that the authentication failed because its certificate is expired and that he will have limited access (until the IT team will renew its cert)

-IMO this depends on what supplicant you are using.  If using AnyConnect NAM, when 802.1x terminates and falls over to mab there should be a popup indicating a certificate missing error.  However, I am not 100% sure if you are using NAM and/or have mab enabled for fall back purposes.  If using the native supplicant you may need to introduce some user education.  You could as mentioned setup a parking lot that these clients/users will be authorized to that will allow them renew certs with restricted access.  User education could be how to check IPs and what the subnet indicates, how to verify cert renewal via MMC, and ways to reauth/verify successful authc/authz upon having proper certs.

See if this helps:

How To Implement Digital Certificates in ISE - Cisco Community

HTH!

Go to solution
Arne Bier
VIP
VIP

‎03-06-2021 01:33 PM

There isn’t enough education and emphasis on good certificate hygiene. We’re all taught that cert based auth is the best and safest method. But handling cert renewal is often overlooked. In a corporate environment you’re probably using Microsoft Group Policy and Auto enrol to keep client certs valid. Beyond that, you might be lucky if your devices are MDM managed and can auto renew. But for the rest, perhaps someone has written a database to track all the deployed certs and will remind someone to renew them 6 months in advance. 
This might not help your cause but I think it’s irresponsible to implement a cert based solution where valid devices are not operating with a valid certificate. If certs have expired then they are doing what they’re designed to do. Block access. 

0 Helpful

Go to solution
REJR77
Level 1
Level 1
In response to Arne Bier

‎03-07-2021 11:51 PM

Hello Arne,

I agree with you. The design around certificates enrollment / certificate renewal etc.. has to be done by the system team but in the end the end user does not now anything about all this stuff and I would like to know if with ISE we can inform the end user when someting goes wrong with its laptop so that he can ask for the help desk.

I would assume that 95% of the use cases with 802.1x willl work but it is always the last 5% (exceptions) for which we have to find nice way to handle

 

0 Helpful
Customers Also Viewed These Support Documents