Solved: mobail certificate

vereduk · ‎11-06-2018

hi,

I want to use eap-tls for wifi connection with ise.

what is the cert temple that I need to use?

Surendra · ‎11-06-2018

Adding to the above, here is the document which you can follow : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

Also, your question is titled Mobail certificate and if you are looking for EAP-TLS with mobile devices, then you could potentially be looking at BYOD for which the documentation is here https://community.cisco.com/t5/security-documents/ise-byod/ta-p/3641689

View solution in original post

Arne Bier · ‎11-06-2018

Are you asking for the cert that ISE presents to the supplicant, or do you mean the client (supplicant) cert?

Here are some highlights for the ISE cert (purpose = EAP )

Subject Common Name: can be anything but don't put a wildcard in here (e.g. *.mycompany.com) - it breaks Windows supplicants

EKU (Extended Key Usage): Server Authentication

Encryption: RSA 2048 bits (don't need more than this) - avoid ECC for now - not many clients support it

Signature: SHA256

Of course the client has to trust the cert that ISE presents during the EAP negotiation. How you achieve this is another discussion. Either purchase a public CA issued cert for ISE, or issue the ISE cert via internal PKI. But then then you need to push that PKI cert chain to all the clients.

This is pretty well documented in the ISE Admin Guide

Surendra · ‎11-06-2018

Adding to the above, here is the document which you can follow : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html

Also, your question is titled Mobail certificate and if you are looking for EAP-TLS with mobile devices, then you could potentially be looking at BYOD for which the documentation is here https://community.cisco.com/t5/security-documents/ise-byod/ta-p/3641689