Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2675
Views
0
Helpful
3
Replies

Using ISE Internal CA as a Corporate PKI

Go to solution
datomkin
Cisco Employee
Cisco Employee

‎03-23-2018 06:34 AM

Hello,

I have a customer that is currently looking at redesigning their current PKI. They wish to use the Internal CA feature as an intermediary of a external root for the provisioning point for all of their corporate assets including MS devices. This would not be for a BYOD function but the corporate authentication.

This is not something I have seen in the past or advised outside of a BYOD/Pxgrid use- Typically and MS CA or 3rd Party function. So I have some questions if I may:

  1. Is this a supported design for the Internal CA?
  2. Are there any scale issues or limits?
  3. If this is supported, what are the major consideration or limitations.
    1. I assume a lack of auto enrollment and user interaction is required in general?.

Endpoint count is in the realm of 100K

Thanks in advance!

Dave

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎03-25-2018 04:14 PM

Is this a supported design for the Internal CA?

  • [A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

  • [A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎03-23-2018 06:51 AM

I don’t quite understand what they want to do?

Are you trying to do certificate provisioning thru ISE acting as the SCEP server? But outside of the BYOD flow?

If that’s the case it’s not something tested therefore supported and would be completely up to customer to investigate

0 Helpful

Go to solution
paul
Level 10
Level 10

‎03-23-2018 10:09 AM

I don't see why they would want to go through the pain of doing this.  ISE would not support autoenrollment for MS devices.  They would all have to through the client provisioning portal to get a cert. The ISE internal CA should be used for one off provisioning in my opinions not as an enterprise issuing server.

0 Helpful

Go to solution
hariholla
Cisco Employee
Cisco Employee

‎03-25-2018 04:14 PM

Is this a supported design for the Internal CA?

  • [A] ISE is supported to function as a Sub-CA, however it is not intended for purposes beyond BYOD and pxGrid

Are there any scale issues or limits?

If this is supported, what are the major consideration or limitations.

- I assume a lack of auto enrollment and user interaction is required in general?.

  • [A] Yes, auto-enrollment won’t work. The certificate template is not customizable. No option for machine certs if necessary. Not sure if GPO for supplicant configuration will work, may have to do the supplicant configuration manually, which needs local admin rights on the endpoint. The other option to consider is to use the native supplicant provisioning flow to automate the certificate installation and supplicant configuration.

~Hari

0 Helpful
Customers Also Viewed These Support Documents