Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
1
Helpful
3
Replies

Managing certificates in ISE?

Go to solution
Marc_Abaya
Level 1
Level 1

‎01-24-2024 11:23 AM

We're currently evaluating ISE as a replacement for our current cloud Radius platform (SecureW2). Watching those ISE training videos and reading the notes, it appears we have to deal with a bunch of certs. How do you manage these certs in ISE? It looks like ISE has a web interface just for managing PKI credentials and they can show expiration dates. But is there a way to automate them like renewals, revocation, etc.?

We have about 700 endpoints and about half is running MDM (Intune and Jamf). For those not running an MDM, will it be a pain to roll ISE? Apologies for the many questions.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Marc_Abaya

‎01-24-2024 12:01 PM

@Marc_Abaya normally Jamf (or any other MDM) would manage the certificate renewals, ISE just cares that the certificate is valid and grants/denies access accordingly.

If you were referring to the BYOD CA, I believe when the client certificate near expiry they will need to go to the certificate provisioning portal to re-enrol again. https://community.cisco.com/t5/network-access-control/ise-byod-handling-of-expired-or-expiring-certs/td-p/3564168

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-24-2024 11:33 AM - edited ‎01-24-2024 11:36 AM

@Marc_Abaya typically the ISE CA is used in BYOD environments, it is generally recommended to use Windows CA to distribute management endpoint certificates using GPO or MDM.

Here is the guide to onboard certificates using the client provisioning portal https://community.cisco.com/t5/security-knowledge-base/cisco-ise-byod-prescriptive-deployment-guide/ta-p/3641867

In regard to the certificates on the ISE nodes themselves, each role can have individual certificates or share the same certificate. The endpoints should trust the EAP certificate for authentications.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

https://community.cisco.com/t5/security-blogs/ise-adding-certificates-to-ise-and-creating-certificate-profiles/ba-p/3662630

 

0 Helpful

Go to solution
Marc_Abaya
Level 1
Level 1
In response to Rob Ingram

‎01-24-2024 11:53 AM

Rob- thanks for the quick reply. We're going to use Google as our IdP and public CA for the certs. Are there any sort of automation in regards with renewal and revocation? It looks like ISE has API for connectivity with Jamf, etc.

I'll also look at those links you've provided.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Marc_Abaya

‎01-24-2024 12:01 PM

@Marc_Abaya normally Jamf (or any other MDM) would manage the certificate renewals, ISE just cares that the certificate is valid and grants/denies access accordingly.

If you were referring to the BYOD CA, I believe when the client certificate near expiry they will need to go to the certificate provisioning portal to re-enrol again. https://community.cisco.com/t5/network-access-control/ise-byod-handling-of-expired-or-expiring-certs/td-p/3564168

 

Customers Also Viewed These Support Documents