Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4832
Views
0
Helpful
3
Replies

Cisco ISE Root CA

srikanth.soogoor
Beginner
Beginner

‎03-26-2014 05:46 AM - edited ‎07-05-2021 12:33 AM

Hi all,

I have a query on onboarding iOS, Android and windows devices through Cisco ISE.

I understood that we are going to provision and onboard above devices issuing certificates.

Do ISE has Certificate authority where it can generate its own Root CA and Intermediate CA signed by root CA and device certificates signed by intermediate CA i mean profile signing CA???

Or else we need to create CSR and send it to CA to get it signed . then we have to import root, intermediate CA's to ISE. CA's like godaddy ,verisign...when we send CSR .. do they send  root certificate, intermediate certificate and signed certificate??

Thanks

Srikanth

 

 

Labels:
0 Helpful
3 Replies 3

Sandeep Choudhary
Mentor
Mentor

‎03-26-2014 09:59 AM

HI,

After installation, ISE generates, by default, a self-signed local certificate and private key, and stores them on the server.  ISE authenticates itself to clients using the default self-signed certificate that is created at the time of installation. This self-signed certificate is used for both HTTPS and EAP protocols to authenticate clients. This self-signed certificate is valid for one year and its key length is set to 1024 bits. At the time of generation, this certificate is used for both EAP and HTTPS protocols.

 

Cisco strongly recommends installing a CA-signed certificate.(Dont use self generated certificare from ISE).

Process for certificate deployment:see the link:

https://www.youtube.com/watch?v=d-ro6P2Azl8

 

Regards

 

 

0 Helpful

srikanth.soogoor
Beginner
Beginner
In response to Sandeep Choudhary

‎04-01-2014 12:35 AM

Hi Sandeep,

Yes i understood that. yes i do agree that Self-signed certificate is used l3 authentication and EAp-methods

During provisiong of BYOD's , i understood that client certificate is pushed to perform EAP-TLS(iOS) and credentials for Android (PEAP-MsCHAPV2). As there is no CA capability for ISE how it will issue certificates to client devices???

 

0 Helpful

Anas Naqvi
Beginner
Beginner

‎03-31-2014 04:10 PM

Yes, Sandeep is correct. You may also check the below link,

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_e_man_cert.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents