cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

633
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

Using ISE Internal CA as a Corporate PKI

Hello,

I have a customer that is currently looking at redesigning their current PKI. They wish to use the Internal CA feature as an intermediary of a external root for the provisioning point for all of their corporate assets including MS devices. This would not be for a BYOD function but the corporate authentication.

This is not something I have seen in the past or advised outside of a BYOD/Pxgrid use- Typically and MS CA or 3rd Party function. So I have some questions if I may:

  1. Is this a supported design for the Internal CA?
  2. Are there any scale issues or limits?
  3. If this is supported, what are the major consideration or limitations.
    1. I assume a lack of auto enrollment and user interaction is required in general?.

Endpoint count is in the realm of 100K

Thanks in advance!

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Is this a supported design for the Internal CA?

  • [A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

  • [A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

I don’t quite understand what they want to do?

Are you trying to do certificate provisioning thru ISE acting as the SCEP server? But outside of the BYOD flow?

If that’s the case it’s not something tested therefore supported and would be completely up to customer to investigate

Highlighted
Advocate

I don't see why they would want to go through the pain of doing this.  ISE would not support autoenrollment for MS devices.  They would all have to through the client provisioning portal to get a cert. The ISE internal CA should be used for one off provisioning in my opinions not as an enterprise issuing server.

Highlighted
Cisco Employee

Is this a supported design for the Internal CA?

  • [A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

  • [A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari

View solution in original post

Content for Community-Ad