Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
5
Helpful
5
Replies

certificate issue while integrating FTD with ISE

Go to solution
ciscoworlds
Level 4
Level 4

‎02-12-2018 04:45 AM - edited ‎02-21-2020 07:20 AM

Hi. 

I want to integrate FTD 6.2.2 with ISE 2.2 using PxGrid. To do the certification part, I have configured a Win 2008 R2 as my internal CA with just these roles installed.

 

ca1.png

 

This windows machine is member of my internal lab domain. While I enter "http://ipaddress/certsrv"on a client machine (which isn't a member of that domain) and follow "Request a Certificate" and then click on "Advanced Certificate Request", the following page appears, but as you can see there is no option to select Certificate Template.

 

ca2.png

 

Documents say that I need to request a certificate which uses "Web Server" certificate template. What did I miss? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ciscoworlds
Level 4
Level 4
In response to Marvin Rhoads

‎02-25-2018 04:17 AM

Hi. I completely removed all of the roles installed on CA server and disconnect it from the domain. Then reinstall the roles from the scratch & rejoin to domain. Now the option is shown there. I don't know what was the problem with Windows, but I'm tired of these stupid unknown Windows issues. Thanks for your replies.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-12-2018 05:12 AM

Hi, It's strange that you don't have the dropdown box for the certificates, are you logged in as an administrator with full rights to request cert? Also the "Web Server" certificate you mentioned is not good enough, you'd have to create a new template an ensure the EKU of Server and Client authentication.

 

Alternatively you could use the internal ISE CA to sign the pxGrid certificates https://communities.cisco.com/docs/DOC-71928

0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to Rob Ingram

‎02-12-2018 10:37 PM

The PC that I use to request the certificate is not a member of the domain but CA server is. I don't understand in which part I need to provide admin privilege. I even entered http://localhost/Certsrv on the CA server too but there was no option for Template again. 

0 Helpful

Go to solution
ciscoworlds
Level 4
Level 4
In response to ciscoworlds

‎02-24-2018 05:22 PM

Any suggestion guys? isn't there anybody who has successfully integrated ISE with FTD?
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ciscoworlds

‎02-24-2018 09:46 PM

I have it setup in my lab with a Windows Server 2016 AD DC providing certificate services. I have ISE, FMC, FTD, ESA, WSA, vWLC etc. all running with certificates issued by my DC.

 

It's odd to not see the option to select the certificate template on your certsrv page. You should have the option to select a Web server certificate.

 

Below are some screenshots from my setup.

 

Template management on the CA (Windows Server 2016)Template management on the CA (Windows Server 2016)Template dropdown from the CA's web UITemplate dropdown from the CA's web UIAppliances with CA-issued certificatesAppliances with CA-issued certificates

Go to solution
ciscoworlds
Level 4
Level 4
In response to Marvin Rhoads

‎02-25-2018 04:17 AM

Hi. I completely removed all of the roles installed on CA server and disconnect it from the domain. Then reinstall the roles from the scratch & rejoin to domain. Now the option is shown there. I don't know what was the problem with Windows, but I'm tired of these stupid unknown Windows issues. Thanks for your replies.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card