Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
5
Helpful
3
Replies

Best Practice for Certificate Server

latenaite2011
Level 4
Level 4

‎08-05-2021 10:39 PM

Hey everyone,

 

Just wondering what the best practice deployment is for a certificate server with Cisco ISE supporting wireless users using 802.1x and Intune.  Also, customer mentioned that they had issues with changing password on the wireless network using certificate and that the account would get locked out.  The Intune is using Microsoft CA server on 2019 and PKCS.  Not sure what is recommended for the Cisco ISE and wireless users and to be able to change the password without getting locked out.

Labels:
0 Helpful
3 Replies 3

latenaite2011
Level 4
Level 4

‎08-05-2021 10:44 PM

Wanted to add the the issue with the password change is that when users change their password on a MAC or PC, they would like to not have to update their credentials on their mobile devices (this was causing issues).  Mobile devices currently certificate generated by AD/Intune environment for authentication to resolve lockouts caused by "old' or out dated passwords.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-06-2021 04:20 AM

ISE can act as PKI Server, But as you mentioned this can also use most of the Business, MS CA Server as PKI, since more of the Business have AD for users authentication, Device use cert Authentication for your 802.1X implementaion.

 

The password Lockout need to be Look closer and see what was the issue for lockout.

 

Note : i have seen some users Logged on other device and which was not logged out correctly, and if you try to change the password it lockout the account, since there is another Login already in present. so this required some investigation both network and infrastructure.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-06-2021 01:02 PM

Looks like you’re using eap-peap, I would recommend that you check out eap-tls where the authentication is done via certificates instead of username and password. EAP-TLS is more secure compared to other EAP mechanisms and haven't been broken till date. 

You need to have a very good PKI infra to support EAP-TLS deployment, since you have Intune and MS infra to support PKI services this should be a piece of cake. Having EAP-TLS you completely eliminate the dependency on user credentials. Also if you are looking for more info on ISE,I would recommend opening a discussion on ISE community.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card