ISE Posture Certificate Requirements

llomjaria · ‎02-16-2024

Hello,

I have a question regarding certificate requirement:

Our client is aiming to implement BYOD, and once the devices are onboarded, they are redirected to the posture portal for compliance checks. Since the devices undergoing compliance checks are not managed by the client's organization, we need to upload well-known certificates on ISE nodes – specifically for the BYOD and Posture portal, as well as for the ISE Admin role.

I am particularly interested in understanding the certificate requirements for the portal and Admin roles. As far as I am aware, in the Subject Alternative Name (SAN), all PSN (Policy Service Node) Fully Qualified Domain Names (FQDNs) should be included. However, I would like to delve deeper into the necessary Extended Key Usages (EKUs), Key Usages (KUs), and any other parameters crucial for the proper functioning of these certificates, especially for the portal and posture compliance check.

ahollifield · ‎02-16-2024

What is the use-case for allowing unmanaged devices onto the protected network all? Why not use an MDM for Posture instead?

llomjaria · ‎02-19-2024

At this moment they do not have MDM solution. So the only way to do it is ISE.

ahollifield · ‎02-19-2024

What is the use-case for allowing unmanaged devices onto the protected network all?

Are you planning on using agentless posture? Secure Client? Temporal Agent? Will the untrusted/unknown devices have enough administrative rights to install software and perform the necessary posture checks? What are the client types? Windows? Mac? iOS? Android? Chromebooks? All have slightly different requirements for various portions of certificate trust. All of these questions is why it's always better to use an MDM then NAC-based posture.

llomjaria · ‎02-19-2024

Thanks for reply!

We are going to use Secure Client. Yes, devices will have enough rights to install software and check posture. Only Windows and MacOS clients.
Yes, I understand that MDM is better solution in this case, but client does not want it now.

ahollifield · ‎02-19-2024

You will need Secure Client Premier licensing and ISE Premier licensing for each of these clients as well. Will you be using the Client Provisioning Portal for the clients to download Secure Client? Or are you going to have the clients somehow pre-install the client and ISE Posture Module. Essentially yes you are correct, a public certificate containing all of names as you mention will be needed. I can't speak to any specific EKU/KY requirements though.

llomjaria · ‎02-19-2024

Thanks. We will use CPP.

I am aware about licensing and SAN fields of certificate. The question is about EKUs and KU.

Aref Alsouqi · ‎02-19-2024

The Extended Key Usages for ISE portals (including admin portal unless you use a multi-use certificate) should only include server authentication attribute, no need to include anything else such as client authentication or certificate signing for example.

Certificate types require different extended key usages. This list outlines which extended key usages are required for each certificate type:

ISE Identity Certificates

Multi-Use (Admin, EAP, Portal, pxGrid) - Client and Server Authentication
Admin - Server Authentication
EAP Authentication - Server Authentication
Datagram Transport Layer Security (DTLS) Authentication - Server Authentication
Portal - Server Authentication
pxGrid - Client and Server Authentication
Security Assertion Markup Language (SAML) - SAML Signing Certificate
ISE Messaging Service - Generate a Signing Certificate or generate a brand new Messaging Certificate

Configure EAP-TLS Authentication with ISE - Cisco