Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
1
Replies

ISE internal CA for VPN Clients

joeharb
Level 5
Level 5

‎04-25-2018 07:47 AM - edited ‎02-21-2020 10:54 AM

We have around 1500 vpn clients and would like to utilize the internal CA on ISE to issue/revoke certificates.  Is this a supported deployment?  We have different authentication methods for specific vpn users (AD/RSA) and utilize a certificate map to trigger the tunnel group and ISE authentication policies to match.  We would like to be able utilize scep from the ASA to ISE to issue specific client certs.  We have this working but don't want to deploy if using the internal ISE CA in this fashion is not advise/supported.

 

Thanks,

 

Joe

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎04-25-2018 10:17 AM

Hi there,

I tested this exact scenario a couple of years ago, from memory I did get this working, but did not go ahead with it in production. The ISE CA is featureless and the ISE Certificates are just intended for BYOD scenarios, so I personally wouldn't use it for what you want to use it for.

 

If possible I'd go for a Microsoft CA, use NDES role as the SCEP server and this will give you everything you want.

HTH

0 Helpful
Customers Also Viewed These Support Documents