We have around 1500 vpn clients and would like to utilize the internal CA on ISE to issue/revoke certificates. Is this a supported deployment? We have different authentication methods for specific vpn users (AD/RSA) and utilize a certificate map to trigger the tunnel group and ISE authentication policies to match. We would like to be able utilize scep from the ASA to ISE to issue specific client certs. We have this working but don't want to deploy if using the internal ISE CA in this fashion is not advise/supported.
I tested this exact scenario a couple of years ago, from memory I did get this working, but did not go ahead with it in production. The ISE CA is featureless and the ISE Certificates are just intended for BYOD scenarios, so I personally wouldn't use it for what you want to use it for.
If possible I'd go for a Microsoft CA, use NDES role as the SCEP server and this will give you everything you want.
Just getting started with AMP for Endpoints? If so, make sure to check out this video featuring John Dominguez with the Cisco Security Team. In this video, John introduces you to Cisco’s Advanced Malware Protection (AMP) for Endpoints that is a n...
Just getting started with AMP for Endpoints? If so, make sure to check out this video featuring John Dominguez with the Cisco Security Team. In this video, John introduces you to Cisco’s Advanced Malware Protection (AMP) for Endpoints that is a ne...
This document lists some options you have to insert script after implementing a portal using portal builder
Implement guest portal using SAML SSO provider button
This allows you to point your ISE Portal builder portal to a page configured for SAML SSO lo...
I would like to present the MAC address for a device on-boarding flow as a QR code on support page.
This can be done utilizing a custom .js script embedded into the support page.
For general information on po...