Showing results for 
Search instead for 
Did you mean: 

Question about certificate planning for ISE

Jason Salmans

I've been learning and tinkering with an ISE trial before recommending changes to our production nodes.  Specifically, I'm figuring out EAP-TLS to see if we want to offer that option to our staff and students instead of just PEAP (which, unfortunately, given our password policy, requires modifying device settings after every password change).

We have an AD CA server and we generated a long certificate there and then used that to sign a CSR for an Intermediate cert from ISE and it is now using that certificate for device cert signing and EAP authentication.

I've gotten the BYOD flow working and can see how devices going through that flow get their certificate.

The next thing I'm trying to figure out is, if we were to do wired 802.1x everywhere, what is the process for generating a cert or certs for devices like APs, VoIP phones, and domain-joined computers?  I'm assuming you don't have to onboard each device manually?  If not, then you'd presumably generate a certificate on ISE that then gets installed on the WLC, CUCM, or in Group Policy for the domain-joined machines and they'd simply all share the same certificate?  I know AD CA can generate machine specific certs for the domain-joined devices but I'd think ISE wouldn't trust them because they'd be signed by the AD CA root and not by the ISE intermediate cert.

4 Replies 4

Depends entirely on the device.  Whether or not they support EAP-TLS and certificate enrollment using SCEP, GPO, etc.  

Why are you considering the ISE CA at all?  Is ISE an intermediate CA for your AD CA?  Or a completely separate CA is used for BYOD?  Why not trust your AD CA for client authentication and have that push certificates to your devices.  The ISE CA is not designed to be an enterprise level CA.

Hi ahollifield,

Because the ISE server would also be signing certs for EAP-TLS for BYOD devices and those devices are not going to be joined to the domain or an MDM.

In our future deployment, ISE would also presumably be doing 802.1x wired port authentication for non-BYOD devices (domain-joined PCs, VoIP phones, access points, and any other device we own that can support that security level).  This is what I'm trying to figure out.. what is the design to be able to do both.

Our current test is indeed running an ISE certificate generated with an Intermediate Cert CSR from ISE and was signed by our AD CA root cert.  The BYOD Prescriptive Deployment Guide describes this as a Subordinate CA I believe.  When I imported that cert to fulfill the CSR on ISE, it set that cert up to sign EAP-TLS device certificates for devices going through the BYOD flow.

I certainly could use my AD CA for everything as I understand that one of the ISE protocols for this is to not sign things itself but, instead, to pass on all signing requests to the AD CA server (described in the guide as SCEP Proxy).  However, my understanding was that this is legacy and perhaps not recommended now?

The point that I'm confused on is, if using the Subordinate CA method, ISE needs to sign those certs for all devices being authenticated with 802.1x certificates on the network, whether they're BYOD or institution owned.  The BYOD devices have an onboarding procedure that can be accomplished by the individual device owners but I'm trying to figure out what you do for the institution-owned devices in a more scalable and easy-to-deploy way.  I can't imagine each has to be individually onboarded... I assume you have to generate a non-device-specific common cert on ISE and deploy it on these other platforms or like a Cisco WLC and let it handle handing out certs to the individual APs for example.

Or perhaps the recommended solution is the use the SCEP Proxy and let everything be done on the AD CA but I haven't found any documentation stating that this is the way it needs to be done.

It varies widely based on device.  Domain joined PCs you use group policy to auto enroll in the PKI and receive their certificate and supplicant config.  Last I checked a Cisco AP does not support EAP-TLS, Meraki APs have no concept of a wired 802.1x supplicant at all.  I'm not sure the process for CUCM phones but I know they do support EAP-TLS.

ISE is not designed to be used as an enterprise CA.  It should not the SCEP relay point for certificate deployment, this should exist on your PKI deployment itself, not on ISE.  ISE already trusts everything signed by that CA (since you have imported the trust chain into ISE).

Thanks for the response.

I guess this is the point of confusion for me and probably something I'm missing in my understanding of the certificate chains and how they work in this scenario.

Which certificate should be configured on ISE to do be the EAP cert used for the server side in the EAP-TLS exchange?  On my lab setup, I have it set up to the be same intermediate/sub-CA cert that ISE is using to sign BYOD device certs.

If other devices in our infrastructure (non-BYOD) are not getting certificates signed by ISE and, instead, are getting certificates signed directly from the AD CA root, they would have a slightly different certificate chain.. same root but minus the ISE intermediate cert.

Keeping that in mind, if I plug in a domain-joined PC to a ISE-protected wired port configured for 802.1x, it's going to have to negotiate with the EAP auth cert on ISE.  Will it trust the ISE intermediate/sub-CA as the server-side cert in the 802.1x auth process?  Or does it have to be one in the chain of the device certificate it has installed (such as using a copy of the AD CA root certificate as the server-side EAP auth certificate in ISE)?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: