05-03-2018 11:55 AM
Hi,
I have that is deployment Cisco 1100 routers for an IPSec deployment. The C1100 have a 8P LAN switching with 802.1X and RADIUS support.
Therefore the customer will require both a Radius Server to authenticate the end devices that connect to the LAN Switch of the router and a CA for the IPSec Tunnels certificates.
I understand that ISE does not support CA for use cases other than BYOD. My question is if we integrate with 3rd party CAs. If not, do we have a favorite 3rd party CA?
Thanks in advance,
Jose
05-03-2018 03:27 PM
Please explain your use case
The onboarding of devices through scep or est is only supported for our BYOD process with Windows OS X Apple iOS android and google chrome books
We recommend using our internal certificate Authority As it’s free easy and on by default
You can also use this ca manually through certificate provisioning portal and through the use of apis . Say for Linux machine or iot type devices authentication with ise
You can integrate with external ca but it’s not recommended or easy
For your use case it looks like you’re trying to onboard routers for certificate authentication?
I have heard of people doing this but it’s not something we have documented
05-05-2018 12:02 AM
It seems you might be thinking of Cisco ISE Internal CA Issues Certificates to ASA VPN Users
However, IOS routers, as a VPN head-end, do not appear to have this ASA capability in ASA 8.X: AnyConnect SCEP Enrollment Configuration Example - Cisco
Thus, most likely you would need to obtain the identity certificates for the endpoints by another means (e.g. ISE BYOD) and then manually designate them for IPSec RA VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide