Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2573
Views
0
Helpful
8
Replies

ISE Integration with PEAP (Server side Cert)

Go to solution
dharmendra2shah
Level 1
Level 1

‎10-21-2012 04:43 PM - edited ‎03-10-2019 07:42 PM

All,

We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).

Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server.

We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations.

I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....

I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert).

Has anyone done this before? If yes then can you share step by step instructions?

I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)

Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?

Thanks in Advance

Ds

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
edondurguti
Level 4
Level 4
In response to dharmendra2shah

‎10-22-2012 12:32 PM

well not exactly but i used parts from here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

I think you're good with what you done so far.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎10-21-2012 07:34 PM

Answers inline:

Our  current setup consists of two 5508 controllers, 30+ access point. For  authentication we are using PEAP with (server side Cert). We have an IAS  server which is also acting as a CA server. IAS and CA are two seperate roles that a windows server can run, just wanted to clear that up, that the IAS services still need a cert imported/signed for it to present a cert for PEAP server side certificate.

We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. Good choice much better to control across different platforms

I  would like to use ISE for authentication. I would like to use PEAP with  Server side Cert (similar setup like IAS). I want ISE to perform the  same function in addition to profiling etc.....

I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). You will need to generate a CSR from the ISE server (Go to Administration > Certificates > Local Server Cert.. > Add > Generate CSR > then go to the CSR container and export your CSR

Has anyone done this before? If yes then can you share step by step instructions? This response should answer your question

I  would also like to know if they used Microsoft’s CA server or Open SSL  CA server or a third party CA server (Go Daddy, VeriSign etc.) Who is "they" if you are authenticating users within an enterprise where laptops are issues by the corporation then you should save the cost and use your internal CA (windows), if this is a campus environment (BYOD) then you should get a public CA.

Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server? No.

Thanks in Advance

Ds

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
dharmendra2shah
Level 1
Level 1
In response to Tarik Admani

‎10-21-2012 09:43 PM

I was able to generate the CSR from ISE.  After generating CSR I exported the cert in a temp folder.

I have also installed a Microsoft CA server (windows 2008 R2) so the CA server can issue Cert to ISE. The problem I am having is CSR is in .PEM format and Microsoft does not understand that format. Therefore I used online tools to convert the cert in .DER or PKCS#12. But Microsoft doesn’t like it.

Do you have any suggestions?

Ds

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to dharmendra2shah

‎10-21-2012 10:07 PM

The CSR should be in PEM format, my assumption is that you used the default SHA-256 to generate the request, try using SHA-1 and that should work.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4

‎10-22-2012 07:51 AM

Cisco recommends using 3rd party software to generate CRS, like openssl I did it and it worked fine.

I used godaddy cert (Go daddy glass 2), which on apple devices comes up as UNVERIFIED, so I don't know what's the point of buying it for PEAP (it does work for http ssl though).

For windows machines that are joined to a workgroup there is still a problem when users try to connect to a SSID,

eventhough you have a root cert as trusted on the machine, it comes up as unverified.

Seems like a windows7 bug, here is an article from windows.

http://support.microsoft.com/kb/2518158

and here

http://support.microsoft.com/kb/295663

Hope it helps.

0 Helpful

Go to solution
dharmendra2shah
Level 1
Level 1
In response to edondurguti

‎10-22-2012 12:25 PM

Thanks Tarik !!!  Selecting SHA-1 instead of SHA-256 did the trick. One step closer.

Do you have step by step instructions to complete the CSR on Windows 2008 R2. Should we use the GUI method or use the IIS interface?

edondurguti: I am ok to use Open SSL as a CA server and then submit the CSR to open SSL. Do you have written instructions to perform that task?

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to dharmendra2shah

‎10-22-2012 12:32 PM

well not exactly but i used parts from here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

I think you're good with what you done so far.

0 Helpful

Go to solution
dharmendra2shah
Level 1
Level 1
In response to edondurguti

‎10-23-2012 12:59 PM

Thanks edondurguti. I ended up submitting my CSR to DegiCert and it worked like a champ.

Ds

0 Helpful

Go to solution
dharmendra2shah
Level 1
Level 1
In response to dharmendra2shah

‎10-31-2012 10:42 AM

I am unable to do machine and user authentication using PEAP. I am not sure what is wrong with my Authorization policies.

On ISE side it says authenticated (user and machine separately) but on the client side. It says limited or no connectivity.

I am using AnyConnect 3.1 on the client side as a supplicant

ISE version is 1.1.1 with patch 3.

WLC version is 7.2.103.0

Is there a compatibility issue?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents