11-02-2017 10:13 AM
I'm setting up my ISE (ver 2.3.0.298) to do EAP-TLS authentication with various wireless devices. The devices are not capable of using SCEP to obtain their certificates and keys, so I am going to have to setup a laptop to request access through the ISE and have the ISE communicate to my external SCEP proxy (Microsoft Server 2012 R2) to request client certificates......
My first question is this - do all the client certificates (we may have up to 100,000 of these devices) need to be loaded into the Trusted Certificate store on the ISE (I believe they would need to for EAP-TLS to function)??
If they do need to be in the Trusted Certificate store for client certificate validation can I use a BYOD device to get certificates through the ISE BYOD portal communicating to my Microsoft MSCEP service and will the retrieved client certificates be automatically placed into the ISE Trusted Certificate store??
Solved! Go to Solution.
11-02-2017 10:45 AM
No the certificates of each client do not need to be in the trusted certificate store
You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication
Is there a reason you’re not using the internal certificate authority on ise itself?
We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide
For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed
11-02-2017 10:45 AM
No the certificates of each client do not need to be in the trusted certificate store
You will need to put the root certificate chain of your PKI server into the trusted certificate store in order to trust the endpoint clients for authentication
Is there a reason you’re not using the internal certificate authority on ise itself?
We also have the certificate provisioning portal to help with onboarding of IOT devices and this can be access via an API, please reference the admin guide
For byod and understanding of integration please look at http://cs.co/ise-community under byod for examples on how to integrate with external server if needed
11-02-2017 11:11 AM
Thanks Jason!
I answered my first question earlier today about client cert in Trusted store…..
In response to your question – I would use the internal ISE certificate authority if I could. Unfortunately our devices (using a TI chipset) do not support 4096-bit keys, and the internal ISE root cert used has a 4096-bit key.
I may not need to use a BYOD ‘spoof’ though since the client certificates do not need to be in the Trusted Cert store……our customer requirement currently is to use an external trusted root CA, which is why I am using a 2012 R2 server……I have options for authenticating ‘smarter’ devices and users that way as well.
I will look more at the provisioning portal as well as BYOD for other clients….thanks.
Karl Peters
858-201-8840
11-02-2017 11:24 AM
Thanks! It sounds like you’re allset
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide