Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
849
Views
0
Helpful
4
Replies

Wired 802.1x and Certificates

Jonathan Rees
Level 1
Level 1

‎11-14-2016 02:32 AM - edited ‎03-11-2019 12:13 AM

Hi all,

I'm slowly moving forward with ISE and 802.1x, going from monitor only mode to rolling out 802.1x across my wired implementation.  As I understand it, in order for this to work, there needs to be some basic config on the switches, the pc and the PC needs to trust the ISE certificate.

This seems different from wireless, which apparently uses a BYOD portal and installs certificates onto the end device. (is that the case or am i missing something?)

I've gotten some good links on how to configure ISE (still missing the piece that explains the byod portal and certificate deployment to my satisfaction).  The outstanding questions I have today are:

1) How do I best deploy the 802.1x config to my desktops - the obvious answer seems to be GPO for the domain windows pcs

2) In the lab I can get my PC's 802.1x config to work if I manually trust the Intermediate Certificate of ISE in the windows Intermediate Trust group.  Obviously I can script/GPO this, but is there a better way?  Is there a portal option for wired similar to BYOD that would save me some work on the admin side?

3) ISE has it's own CA built in, is there a reason not to use that vs an internal one?

Thanks for any steer you can provide!

Jon

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-14-2016 07:19 PM

The easiest way to deploy is if you have something like SCCM. You can then push the client and associated profile(s) via that method. If you're handy with GPOs you can certainly do it via that route.

Certificate approaches are largely based on what CA you are using and what, if any relation it has with other certs in your environment.

ISE CA is primarily intended for organizations with out any internal PKI and already trusted internal CA. You can allow ISE to be subordinate to such an internal CA or not use ISE's CA at all, depending on your requirements.

0 Helpful

Jonathan Rees
Level 1
Level 1
In response to Marvin Rhoads

‎11-16-2016 06:50 AM

Thanks Marvin,

I'm guessing there's not really any sort of byod portal option for wired connections where desktops can register themselves vs my GPO (or SCCM) option?

Jon

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jonathan Rees

‎11-16-2016 07:08 AM

You can use the BYOD portal for wired users. It's more commonly associated with wireless but works just as well for either case.

I recently did just such a deployment for the use case of University for dormitories where the students are required to register their devices prior to allowing them full connectivity on the wired network.

You can have them register and be added to an endpoint group for use in a MAB-based policy or alternatively redirect them to a supplicant provisioning flow where they download the AnyConnect supplicant (Network Access Module at least and optionally VPN, ISE Posture etc.) and associated profiles.

Which path you choose depends on your organization's existing processes and capabilities. ISE can handle it either way.

0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Marvin Rhoads

‎12-05-2016 12:29 AM

Hello Marvin,

Do you have any document for this setup?. Please share it if you do not mind.

Thanks

Shabeeb

0 Helpful
Customers Also Viewed These Support Documents