Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
7
Replies

ISE server cert signed by well known CA for BYOD

Go to solution
Madura Malwatte
Level 4
Level 4

‎11-27-2018 07:30 PM

I am trying to determine the steps for the ISE server cert to be signed by well known CA for issuing to BYOD devices. At the moment, I am using ISE self signed server cert for BYOD (cert issued to BYOD devices by PSN is signed by PAN). What is the process to get the PSN cert that is issued to byod device signed by a well known CA?

 

Do I need to generate a CSR for usage type: "ISE Intermediate CA" option, as shown below?

Screen Shot 2018-11-28 at 2.13.29 pm.jpg

and then where do I import this and how would I tell ISE to issue it to BYOD devices? Is there a guide on the exact steps?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎11-28-2018 05:52 AM

There are several articles videos etc out there

Recommendation would be to use a wildcard in the San for all your PSNs as listed below

Would recommend looking at the byod guide how to put there as well

Keep in mind that Apple devices always have to trust the psn cert manually regardless of from well known root when connecting to an ssid. This is Apple requirement. Also if you don’t have well known root you will not be able to go through byod flow without errors and manual trust and breakage of the flow (this is separate issue from connecting to ssid for first time)


https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-27-2018 11:42 PM

I believe there are two parts to this question.

1. How to get a certificate issued by a well known CA for PSNs to be used for the BYOD portal?
2. How can you use a well know CA to issue certificates to BYOD devices.

Answer to the first question is pretty straight forward. Generate a CSR for multi-purpose usage, get it signed by a CA, bind that certificate issued to the CSR generated and during the same, choose for it to be used by the portals and assign it a tag. In the BYOD portal, make sure to use the tag given to this certificate.

Answer to the second question, you cannot simply get certificates signed by a well known CA for the BYOD devices. There is only one way you can get certificates issued by a CA on ISE which is using SCEP protocol. You can configure an external CA which supports SCEP and is authorized to issue certificates or you can use the built-in CA using SCEP internal calls to issue certificates. Simply having the certificates of an external CA does not help the cause here. Well known CAs obviously will not issue certificates without any cost.
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Surendra

‎11-28-2018 02:26 AM

Hi Surendra,

 

Actually neither of the two points is the question I am asking about. I already have a well known CA signed cert for all the portals (byod, mydevices, guest, etc) and I am not trying to do SCEP either.

 

Instead I am referring to the PSN issuing cert to byod devices where the cert is signed by a well known CA. At the moment its self-signed (root CA is the PAN). I dont want to run into problems with apple devices not being able to trust the cert.

 

 

 

 

 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎11-28-2018 02:55 AM

I still can’t understand your question in that case. Where exactly are you using this self-signed cert for? Can you please explain with an example may be ?
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Surendra

‎11-28-2018 05:39 AM

okay so below is an example of a cert that was issued to a user's byod device. you can see it was issued by the PSN and signed by root CA which is the PAN. I read that apple iOS devices wont trust the cert unless its signed by a well known CA. So my question how can the PSN have the cert it issues to byod devices be signed by external root CA, instead of the PAN?

Screen Shot 2018-11-29 at 12.30.59 am.jpg

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎11-28-2018 05:52 AM

There are several articles videos etc out there

Recommendation would be to use a wildcard in the San for all your PSNs as listed below

Would recommend looking at the byod guide how to put there as well

Keep in mind that Apple devices always have to trust the psn cert manually regardless of from well known root when connecting to an ssid. This is Apple requirement. Also if you don’t have well known root you will not be able to go through byod flow without errors and manual trust and breakage of the flow (this is separate issue from connecting to ssid for first time)


https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html
0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎11-28-2018 06:07 AM

Hi Jason,

 

Thanks for the reply. I went through the byod deployment guide doc and config guide, though it mentions this can be done, I can't see to find the exact steps? I have submitted a wildcard CSR to a public CA but this I plan to use for the portals only. Would this automatically get used for issuing to byod devices?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎11-28-2018 08:37 AM

Here is another great article
https://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

The certificate that resides on the PSN isn’t issued to the BYOD devices. It is used when setting up the trusted communication between the PSN and the device. Not only will you need to apply It to the portals but you will also need it for EAP
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html#reference_3CE11FC8D0F14A3285E37D197B5646A3
Certificate Usage
When you add or import a certificate in to Cisco ISE, you should specify the purpose for which the certificate is to be used:
· Admin: For internode communication and authenticating the Admin portal
· EAP: For TLS-based EAP authentication
· RADIUS DTLS: For RADIUS DTLS server authentication
· Portal: For communicating with all Cisco ISE end-user portals
· xGrid: For communicating with the pxGrid controller


0 Helpful
Customers Also Viewed These Support Documents