Can someone kindly help me with the following question,
First off I am a Windows Server/PKI/AD etc guy rather than CISCO, although I do hold a CCNA :)
I look after the PKI at my company and will be working with the CISCO team who are introducing CISCO ISE, we will be using X509 certs on the supplicants (Windows desktops/laptops primarily)
What I want to know is something quite basic, but I have not seen it written down anywhere
First off I assume it is the AAA Server (ISE) is the entity that checks the supplicants X509 certificate, rather than the AP (access point e.g. wireless router)? is that correct
As the supplicants X509 certificate is public (e.g. it is not secured and anyone can request it as it normal) I assume the AAA server must encrypt a value (random number for example) with the supplicants public key (from the X509 cert) then send this value to the supplicant whereby the supplicant decrypts it with its private key (which no one else has, as normal). Then the supplicant encrypts the same value with the AAA Servers public key (held in advertised AAA Servers X509 cert) send this back to the AAA Server and once the AAA server decrypts it (with its private key) if the value matches with the value originally sent to the supplicant then the AAA server can continue with authentication etc.
Is the above assumption correct?
if the above is correct, does ISE always act like this or can you lower the security and just get the ISE server to check if it trusts the cert issuer (and CRL is OK) of the supplicants X509 cert and not bother to send the encrypted packet as above (but this of course would not guarantee supplicant-1 is actually supplicant-1)
Thanks very much in advance
... View more