ISE integration with Certificate Authority (CA)

JDores · ‎05-03-2018

Hi,

I have that is deployment Cisco 1100 routers for an IPSec deployment. The C1100 have a 8P LAN switching with 802.1X and RADIUS support.

Therefore the customer will require both a Radius Server to authenticate the end devices that connect to the LAN Switch of the router and a CA for the IPSec Tunnels certificates.

I understand that ISE does not support CA for use cases other than BYOD. My question is if we integrate with 3rd party CAs. If not, do we have a favorite 3rd party CA?

Thanks in advance,

Jose

Jason Kunst · ‎05-03-2018

Please explain your use case

The onboarding of devices through scep or est is only supported for our BYOD process with Windows OS X Apple iOS android and google chrome books

We recommend using our internal certificate Authority As it’s free easy and on by default

You can also use this ca manually through certificate provisioning portal and through the use of apis . Say for Linux machine or iot type devices authentication with ise

You can integrate with external ca but it’s not recommended or easy

For your use case it looks like you’re trying to onboard routers for certificate authentication?

I have heard of people doing this but it’s not something we have documented

hslai · ‎05-05-2018

It seems you might be thinking of Cisco ISE Internal CA Issues Certificates to ASA VPN Users

However, IOS routers, as a VPN head-end, do not appear to have this ASA capability in ASA 8.X: AnyConnect SCEP Enrollment Configuration Example - Cisco

Thus, most likely you would need to obtain the identity certificates for the endpoints by another means (e.g. ISE BYOD) and then manually designate them for IPSec RA VPN.