Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
0
Helpful
2
Replies

ISE Internal CA for IOT Devices

Go to solution
kkaminsk
Cisco Employee
Cisco Employee

‎12-11-2018 09:19 AM

Folks,

 

Are there any docs or best practice examples for using the Internal ISE CA for issuing and controlling certificates for IOT devices?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-12-2018 05:34 AM

Can your IOT devices do 802.1x? Especially EAP-TLS? If not, then I am curious to know why you would want to generate certificates from ISE. If they do support, why not get certificates from your Enterprise CA ? (unless you do not have one)

If they support EAP-TLS and you would want to authenticate them with ISE :

You can use ISE to generate certificates for IOT devices. it will require manual intervention to generate certificates on ISE and install them on the IOT devices. There is no automatic way you can get this done.

Once you have the certificates installed, there shouldn’t be any problem authenticating those devices if both the device and ISE are configured properly.

There is no best practices or a guide to do this because most IoT devices are usually low cost, limited resource devices which have a defined function. They usually do not support advanced features like EAP-TLS or any standard authentication mechanism providing a supplicant that ISE can leverage for authentication. They may not have enough resources on them to provide such funcationality.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-12-2018 05:34 AM

Can your IOT devices do 802.1x? Especially EAP-TLS? If not, then I am curious to know why you would want to generate certificates from ISE. If they do support, why not get certificates from your Enterprise CA ? (unless you do not have one)

If they support EAP-TLS and you would want to authenticate them with ISE :

You can use ISE to generate certificates for IOT devices. it will require manual intervention to generate certificates on ISE and install them on the IOT devices. There is no automatic way you can get this done.

Once you have the certificates installed, there shouldn’t be any problem authenticating those devices if both the device and ISE are configured properly.

There is no best practices or a guide to do this because most IoT devices are usually low cost, limited resource devices which have a defined function. They usually do not support advanced features like EAP-TLS or any standard authentication mechanism providing a supplicant that ISE can leverage for authentication. They may not have enough resources on them to provide such funcationality.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Surendra

‎12-12-2018 05:50 AM

@Surendra is correct. However I don’t recommend using enterprise PKI unless there is some automaton behind it. Ise for several releases has an API to request certs. A customer could automate their own system to make this happen. 

0 Helpful
Customers Also Viewed These Support Documents