Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
1
Helpful
3
Replies

SSL certificate

Raj G
Level 1
Level 1

‎05-24-2022 03:59 PM

dear professional,

 

i have a cisco 9800 wlc, cisco ise, and ad server. Now my requirement is to setup wireless client to authenticate using active directory account via cisco ise. Now i got below question:

 

1. I beleive i need to setup 802.1x authentication in cisco wlc?
2. can we setup tacacs between cisco wlc & cisco ise? Or only radius is possible

3. I beleive we need to install ssl certificate in cisco ise and wireless clients (windows, mac, mobile devices like iphone android)? Not required any ssl certificate in active directory.

4. I got wildcard pfx ssl certificate (which was built for another purpose), can i install it to ise and wireless clients? Or i need to convert to another format? Can you share which format and how to import certificate to cisco ise

 

if someone could help, would be grateful.

 

thank you

Labels:
3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

‎05-24-2022 07:12 PM

question 1 - That is correct, you need to configure ISE as a RADIUS server on WLC. Configure the SSID and set its authentication to the configured RADIUS servers.

question 2 - TACACS is not meant of dot1x, you need to use RADIUS

question 3 - A certificate on endpoints is not mandatory unless the goal is to use certificate based authentication. 

question 4 - Use openssl extract the certificate, private key and certificate chain (root, intermediate certs). Import the root and intermediate certs into the System trusted certificate store on ISE first.

Then Upload the wild card cert along with the private key to ISE, select the services for which you want the certificate to be used. Ensure the wildcard covers the FQDN name of ISE. Beware of a service restart if you choose the certificate for "admin" usage.

Here's an excellent guide to certificates on ISE - https://community.cisco.com/t5/security-documents/how-to-implement-digital-certificates-in-ise/ta-p/3630897

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-31-2022 09:40 AM

Note that the native Windows supplicant for 802.1x does not work well with wildcard certificates (when the wildcard is in the CN or Common Name field).

For that reason it is recommended to use an actual assigned certificate for ISE. You can use multi-SAN (Subject Alternative Name) to cover the multiple PSNs in the case of a larger ISE deployment.

0 Helpful

Raj G
Level 1
Level 1
In response to Marvin Rhoads

‎05-31-2022 10:02 PM

Thanks
0 Helpful
Customers Also Viewed These Support Documents