ISE - What happens when the on-boarded certificate expires?

chris_day · ‎03-02-2013

I'm trying to design a good BYOD deployment model but have a few questions that need direct answers. I have down how to go about on-boarding and getting a certificate on a device, the ISE provides great flow for this to happen in many ways. My questions come from a design perspective before and after the BYOD deployment is completed.

1. Figuring out a method to validate the device is a Corporate asset or a BYOD asset.

(I don't want to install a certificate on just any device, or perhaps I do but I need to give permissions to all resources if its a Corporate Device, and more resitrictions if it's BYOD, so how do I figure this out during the provisioning phase?)

a. Use MDM (May not have one, or if you do we are still waiting on ISE 1.2 for that integration)

b. Build a Group for provisioning admins, if user PEAP-MSCHAPv2 account is from this group install a certificate. (issue here is that the end user looses administration of the device in the my device portal as the device is now registered to the provisioning admin)

c. Pre-populate MAC into ISE as all Corporate devices should be provisioned by I.T. before they go to the end user (I think this is good but can see push back from customers as they don't want to add more time to the process)

d. Certs on any IOS or Android device, provide access based on user group and do not worry if device is Company asset or not (I believe that this is the easiest solution and seems to be what I find in the guides)

e. Other options I have not thought about, would love input from the crowd

2. What happens to the device once the Certificate expires?

(I don't know the answer to this, my thought would be the user or device will fail during the authentication policy and this creates a mess)

a. Tell the user to delete the profile so they can start all over again (creates help desk calls and frustrated users)

b. Use MDM for Cert management (may not have one)

c. Perhaps the client uses SCEP to renew based on the cert template renew policy and there are no issues (this is me wishing)

Would appreciate some feed back and would like to know if anyone has run into these issues.

chris_day · ‎03-08-2013

I went to Cisco Live in Melbourne this last week and had a chance to ask the experts about this issue. They said it's a none issue and there isn't a way to renew an onboarded cert without an MDM currently. They agreed with me for the time being that using PEAP-MSCHAPv2 for non windows endpoints is best for now. With ISE 1.2 and beyond they are going to put more features around certificates and also provide a method for checking how far out a cert is going to expire and on board a renewed cert to your devices.

If you want to attempt and only put certs on devices that are corporate owned and keep byod devices as PEAP-MSCHAPv2, and MDM or a process will be required to know that I.T. provisioned the device prior to giving it to the end user.

nspasov · ‎03-08-2013

Great information Chris, thank you for sharing (+5 from me)! That is interesting that Cisco said that nothing happened once the certificate expired. I thought that once the cert expires it will be no longer valid and therefore there ISE won't trust it for authentication. I guess I will need to test this in the lab and see what happens.

On a side note, have you and/or anybody else here had an issue with the provisioning/on-boarding after you install a public certificate on the PSN nodes? I just did a deployment where everything was working fine with the internal PKI and NDES/SCEP. However, as soon as we installed a publicly signed certificate to take over the HTTPS connections to the web portal, the on-boarding process stopped working. It appears that it is failing because ISE was presenting the iPad/iPhone the trusted root certificate from the newly installed public cert instead of the NDES/SCEP cert.

This looks like a bug to me but I haven't been able to find anything about it. I could be wrong but I don't see why this would break things. The way I see it ISE should:

1. Use the new/publicly signed certificate for all HTTPS connections (guest, device registration, management, etc)

2. Use the internally signed certificate for EAP-TLS authentications

3. Use the internally provided SCEP/NDES certificate that was obtained from the internal root CA

chris_day · ‎03-08-2013

I didn't explain that correctly. When I said nothing happens I meant we don't onboard a renewed cert. the ISE does deny the client with an expired cert.

The other issue you discuss I thought I saw a document that said you must use an internal CA cert if on boarding with scep. I believe this will be resolved in 1.2 as you will be able to select interfaces for web based services and can assign certs to an ip/interface. RADIUS and on boarding including EAP can use a dedicated interface that is bound to a cert or certs for management and EAP.

Hope that helps, I'm hearing 1.2 will be coming in June now. I know it was due a few months ago but sounds like Cisco is being very anal about quality control and resolving existing bugs on 1.2, it should be a big difference.

Sent from Cisco Technical Support iPhone App

nspasov · ‎03-10-2013

Thank you for the clarification Chris!

Also, do you happen to have more info/papers that you can share for the issue that I described. I just skimmed through the TrustSec and ISE guides but could not find anything related to that.

Also, on a side note, since you were at Cisco Live do you happen to have some good info on EAP-TEAP ?

Thanks,

chris_day · ‎03-10-2013

Neno,

Sorry but I don't have any other info on using a public CA, Cisco says to use internal CA's for PKI. I think the best practice in 1.2 comes out will be to use one interface for Web Management and a different interface for Radius, profiling, posture, and on boarding. This way you can use your private CA for EAP and a public CA for web traffic. Have you tried a public CA bound to management and a private CA for EAP yet?

I did do a session on EAP-TEAP, they explained how it will work and also discussed EAP-FASTv2. EAP-FASTv2 is available now but you must use anyconnect as your supplicant. Microsoft and all other vendors will have EAP-TEAP native once it is fully released and comissioned as it will be the new gold standard for EAP. It will support TLS, MD5, and CHAPv2. If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work. This is much better than wasMachineAuthenticated and machine auth caching, which has many down falls.

I currently do machine and user auth I just don't require them. If Machine auth then allow machine on vlan-x with access to AD, DNS, and blah blah. Then a seperate rule to say user auth gets more access, although I require EAP-TLS for both and if you think about it you are accomplishing the same thing if your PKI is setup correctly. Make it so users and machines can only auto enroll, that way you know the only way they got their cert was from GPO policy. I won't go into anymore detail, but there is lots you can do.

nspasov · ‎03-10-2013

Have you tried a public CA bound to management and a private CA for EAP yet?

> Yes, that is how I exactly have it. The public cert is only used for "management interface/web" while the private cert is trusted for EAP. I am going to upgrade to 1.1.3 and see if the issue is still there becuase is almost sounds like a bug to me but I might be missing something. I do recall hearing/reading about ISE 1.2 giving you different options about different certs and their purposes

If you are interested I have the PDF of the presentation I attended that shows the flow of how EAP-TEAP will work

> Yes, please! I have sent you a PM with my e-mail address

I won't go into anymore detail, but there is lots you can do.

> I agree, ISE is really a "Swiss army knife" when it comes to security. There is so much you can do and it is all very flexible. I really enjoyed when ACS 5 came out but ISE just took things to another level and for version 1.x we are already seeing so much and it will only get better

bberry · ‎01-08-2014

Hello Chris,

I came across this post while researching info for our new ISE deployment. I noticed that in 1(c) you wanted to pre-populate ISE with the device MAC address and was wondering how you accomplished this. I am hoping there is a bulk way to import MAC addresses into ISE.

Also should we use certs to validate a device has already been accepted into ISE or should the process be based upon MAC address everytime a user connects?

We are starting to go through the implementation process with some new management folks and they do not like an on-boarding process with new users for day 1. I have over 800 devices on the network that have to get into the system somehow. Thoughts on this part of the configuration for ISE?

Brent

chris_day · ‎01-08-2014

Brent,

There are a few options, one is to get the list of all your mac addresses and import them via CSV. Everything really depends on your policies and business requirements pushing those policies. Your BYOD and corp iDevices policy may be the same, or you may elevate access for corp iDevices. Also do you have an MDM supported by ISE, if you do then the MDM can handle the 1st day provisioning. I have done over 20 enterprise ISE deployments now and almost never end up with the same policies at two different customers, that's the great thing about ISE you have the freedom to become creative. Using policy sets allows you to take the creativity to another level as well.

If you can tell me your use cases I may be able to come up with some policies to help keep you from entering 800 mac addresses into the ISE. I just need to know how the business wants to separate Corp SOE machines, Corp iDevices, Guest, and BYOD. Also determine if you want elevated BYOD for I.T. Administrators or executives.

-Chris