10-23-2017 03:03 AM
I have an ISE deployment that is currently using AD for auth of users. I would like to use certificates to verify the machine identity, one thing that is holding me back is that the deployment has no PKI.
As ISE can function as a CA, is it possible to create CSRs on the endpoints and then use the ISE CA to sign them? These are static endpoints and not BYOD, so once the certs are pushed out there is little ongoing admin.
Solved! Go to Solution.
10-23-2017 09:48 AM
Does this help?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/certificate_provisioning/b_certificateprovisioningportalFAQs.html#reference_BCF69D6F74A547AB93079B75B94231A2__Q1
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html
10-23-2017 09:48 AM
Does this help?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/certificate_provisioning/b_certificateprovisioningportalFAQs.html#reference_BCF69D6F74A547AB93079B75B94231A2__Q1
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200534-ISE-2-0-Certificate-Provisioning-Portal.html
10-27-2017 01:27 AM
HI, Thank you so much for your helpful answer, thats cleared it up for me. Certificate signing requests was indeed what I was looking at instead of cloud services routers.
10-23-2017 10:10 AM
If CSRs as in certificate signing requests and if they are conforming to the certificate templates in ISE, then ISE may sign them as George already pointed out.
In case CSR as in Cisco Cloud Services Router, then ISE internal CA is not currently supporting to issue certificates for Cisco IOS devices, last I checked. It's because Cisco IOS requiring the certificate with Key-encipherment, digital-signature, or both, and the CA certificates in ISE internal CA chains are not meeting that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide