02-16-2024 12:50 AM
Hello,
I have a question regarding certificate requirement:
Our client is aiming to implement BYOD, and once the devices are onboarded, they are redirected to the posture portal for compliance checks. Since the devices undergoing compliance checks are not managed by the client's organization, we need to upload well-known certificates on ISE nodes – specifically for the BYOD and Posture portal, as well as for the ISE Admin role.
I am particularly interested in understanding the certificate requirements for the portal and Admin roles. As far as I am aware, in the Subject Alternative Name (SAN), all PSN (Policy Service Node) Fully Qualified Domain Names (FQDNs) should be included. However, I would like to delve deeper into the necessary Extended Key Usages (EKUs), Key Usages (KUs), and any other parameters crucial for the proper functioning of these certificates, especially for the portal and posture compliance check.
02-16-2024 08:43 AM
What is the use-case for allowing unmanaged devices onto the protected network all? Why not use an MDM for Posture instead?
02-19-2024 12:00 AM
At this moment they do not have MDM solution. So the only way to do it is ISE.
02-19-2024 05:31 AM - edited 02-19-2024 05:32 AM
What is the use-case for allowing unmanaged devices onto the protected network all?
Are you planning on using agentless posture? Secure Client? Temporal Agent? Will the untrusted/unknown devices have enough administrative rights to install software and perform the necessary posture checks? What are the client types? Windows? Mac? iOS? Android? Chromebooks? All have slightly different requirements for various portions of certificate trust. All of these questions is why it's always better to use an MDM then NAC-based posture.
02-19-2024 06:39 AM
Thanks for reply!
We are going to use Secure Client. Yes, devices will have enough rights to install software and check posture. Only Windows and MacOS clients.
Yes, I understand that MDM is better solution in this case, but client does not want it now.
02-19-2024 06:59 AM
You will need Secure Client Premier licensing and ISE Premier licensing for each of these clients as well. Will you be using the Client Provisioning Portal for the clients to download Secure Client? Or are you going to have the clients somehow pre-install the client and ISE Posture Module. Essentially yes you are correct, a public certificate containing all of names as you mention will be needed. I can't speak to any specific EKU/KY requirements though.
02-19-2024 07:08 AM
Thanks. We will use CPP.
I am aware about licensing and SAN fields of certificate. The question is about EKUs and KU.
02-19-2024 09:52 AM - edited 02-19-2024 09:52 AM
The Extended Key Usages for ISE portals (including admin portal unless you use a multi-use certificate) should only include server authentication attribute, no need to include anything else such as client authentication or certificate signing for example.
Certificate types require different extended key usages. This list outlines which extended key usages are required for each certificate type:
ISE Identity Certificates
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide