07-20-2023 03:44 PM
We are implementing 8021x this summer and I am reading this great Cisco white paper: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213919-configure-802-1x-authentication-on-catal.html
It goes into depth on how to configure the WLC and ISE for implementing the 8021x network, which is what we will be using. But it does not go into any detail on certificate configuration and placement. If anyone has any good documentation or advice on how to get the certs created and installed it would greatly be appreciated. Thank You in advanced.
Solved! Go to Solution.
07-20-2023 05:08 PM
As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.
As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.
** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.
If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.
07-20-2023 04:11 PM - edited 07-20-2023 04:11 PM
what is Mode
EAP-TLS ? if Yes
then
Understand and Configure EAP-TLS with a WLC and ISE - Cisco
07-21-2023 07:50 AM
Thank you for this. I will be reading it today.
07-21-2023 12:35 PM
You are so so welcome'
Any time friend
MHM
07-20-2023 05:08 PM
As mentioned, there are configuration guides for ISE that go over the configuration steps in ISE with some overview.
Here's the guide for 3.x: Configure EAP-TLS Authentication with ISE
For other parts I fear the question is too open or general.
The certificate creation depends on your environment.
For example, if you have an on-premises AD environment, and maybe an existing PKI infrastructure, it would make sense to use your existing PKI infrastructure to generate the EAP certificate to use on the ISE nodes.
At the end of the day the clients that authenticate need to trust the EAP certificate on the ISE, and if you're using certificate authentication like EAP-TLS, the ISE needs to trust the CA that issues the certificates to the clients.
As an example, if you have a windows-only environment using on-premises Active Directory, a simple solution is to use (or set up) a Microsoft CA, which can be on a standalone server or co-exist on another win server.
** there are additional security aspects you need to look into once you've reached this stage, such as can the certificate be exported off the computer and what can someone do with a stolen laptop.
If your workstations are domain-joined using AzureAD, or if you have MacOS or linux computers, there may be additional steps to look into.
07-21-2023 07:51 AM
Great write up. This is definitely putting me in the direction I want to go. I will be reading and reviewing this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide