Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
3
Replies

Using ISE to authenticate supplicants using certificates

jsol
Level 1
Level 1

‎04-26-2013 04:46 AM - edited ‎03-10-2019 08:21 PM

First of all, I've to say that I'm totally new at the certificates' world.

My customer has a wireless network working properly, with supplicants using certificates and authenticating against a Juniper RADIUS server. Now we need to replace the Juniper devices by two Cisco ISE. He has provided me the CA certificates that I've installed on the CA Certificates store on every ISE server. What else do I need for the supplicants to continue working with the new ISE (with no changes at the supplicant level)?

I suppose I need a Local Certificate for each ISE server, signed by the same CA as the supplicants, isn't it? So I've to generate a CSR from each ISE and send it to the CA to sign them, isn't it?

I suppose I need to create a Certificate Authentication Profile, isn't it?

Do I've to do something else?

Thanks,

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-26-2013 08:29 AM

One thing I would also make sure that EAP-TLS/EAP-FAST is ticked in allowed protocols.

Policy->Results -> Authentication -> Allowed Protocols -> Pick your policy

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎04-27-2013 05:52 AM

Yes your understanding with this issue is correct. Y

You need to generate CSR from the ISE. A CSR and its private key are generated and stored in Cisco ISE. You can view this CSR in the Certificate Signing Requests page. You can export the CSR and send it to a CA to obtain a signature. http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_cert.html#wp1077292

After your CSR is signed by a SAME CA and returned to you, use this process to bind the CA-signed certificate with its private key. http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_cert.html#wp1103485

Let me know if you have any question.

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents