Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3100
Views
10
Helpful
2
Comments

ISE and PEAP Certificate.

Anim Saxena
Level 1
Level 1

‎04-28-2013 06:28 AM - edited ‎02-21-2020 09:59 PM

 

 

Introduction:

 

This document descibes the method to add,delete,edit certificate in ISE which is providing functionality of radius server.

 

Adding a Certificate:

 

  • Step 1 Choose Administration > System > Certificates.
  • Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

 

The Certificate Authority Certificates page appears.

 

  • Step 3 Click Add.
  • Step 4 Click Browse to choose the certificate authority certificate from the file system that is running the client browser.
  • Step 5 Check the Trust for client with EAP-TLS check box if you want to use this certificate in the trust list for EAP-TLS protocols.
  • Step 6 Add an optional description.
  • Step 7 Click Submit to save the certificate authority certificate.

 

When you add a certificate to your primary ISE node, you need to restart the secondary nodes connected to your primary ISE node. To restart the secondary nodes, use the following commands (CLI):

 

application stop ise

application start ise

 

image 1 adding cert.png

 

Editing a Certificate:

 

  • Step 1 Choose Administration > System > Certificates.
  • Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

 

The Certificate Authority Certificates page appears.

 

  • Step 3 Check the check box next to the certificate that you want to edit and click Edit.

 

You can edit the following:

  1. Friendly Name
  2. Description
  3. Usage
  4. Certificate Revocation List Configuration

 

  • Step 4 Enter a friendly name to easily identify this certificate.
  • Step 5 Enter an optional description.
  • Step 6 Check the Trust for client with EAP-TLS check box if you want to use this certificate in the trust list for EAP-TLS protocols.
  • Step 7 In the Certificate Revocation List Configuration area, do the following:

 

    1. Check the Download CRL check box for the ISE to download a CRL.
    2. Enter the URL to download the CRL from a CA in the URL Distribution text box. This field will be automatically populated if it is specified in the certificate authority certificate. The URL must begin with "http" or "https."The CRL can be downloaded automatically or periodically.
    3. You can configure the time interval between downloads in minutes, hours, days, or weeks if you want the CRL to be downloaded automatically before the previous CRL update expires.
    4. Configure the time interval in minutes, hours, days, or weeks to wait before the ISE tries to download the CRL again.
    5. If you uncheck the Bypass CRL Verification if CRL is not Received check box, all client requests that use certificates signed by the selected CA will be rejected until ISE receives the CRL file. If you check this check box, the client requests will be accepted before the CRL is received.
    6. If you uncheck the Ignore CRL that is not yet valid or expired check box, ISE checks the CRL file for the start date in the Effective Date field and the expiration date in the Next Update field. If the CRL is not yet active or has expired, all authentications that use certificates signed by this CA are rejected. If you check this check box, ISE ignores the start date and expiration date and continues to use the not yet active or expired CRL and permits or rejects the EAP-TLS authentications based on the contents of the CRL.

 

  • Step 8 Click Save to save the changes you have made to the certificate authority certificate.

 

 

 

If you edit a certificate authority certificate on your primary ISE node, you must restart the secondary nodes connected to your primary ISE node. To restart the secondary nodes, from the command-line interface (CLI), enter the following commands:

 

application stop ise

application start ise

 

image 2 editing CA cert.png

 

 

Exporting Certificate:

 

  • Step 1 Choose Administration System > Certificates.
  • Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

 

The Certificate Authority Certificates page appears.

 

  • Step 3 Check the check box next to the certificate that you want to export and click Export.
  • Step 4 Save the privacy-enhanced mail file to the file system that is running your client browser.

 

image 3 exporting CA cert.png

 

 

Deleting Certificate:

  • Step 1 Choose Administration > System > Certificates.
  • Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

 

The Certificate Authority Certificates page appears.

 

  • Step 3 Check the check box next to the certificate that you want to delete and click Delete.

 

The following message appears.

 

Are you sure you want to delete?

 

  • Step 4 Click OK to delete the certificate authority certificate.

Reference:

Certificates with ISE

Labels:
Comments
Octavian Szolga
Level 4
Level 4
‎05-02-2013 11:55 PM

This is a nice tutorial, but still the screenshots used are from the old ISE GUI.

Why not do it with ISE 1.1.x?

Anim Saxena
Level 1
Level 1
‎05-03-2013 12:13 AM

Hi Octavian,

Thanks for the appreciation. Will definitely update the doc with ISE 1.1 also.

Thanks,

Anim Saxena

Community Manager - Security.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents