Solved: Allow authentication of expired certificates - ISE

andrewdours · ‎09-10-2024

This is an option in ISE when if checked, ISE allows expired certificates to be authenticated. So here's the deal. We have a number of iPhone devices used internally on the network. Some get left in a desk drawer or powered off. By the time those phones get powered back on, their certificate has expired and therefore cannot connect to our SSID that utilizes certificates in order to connect. After finding this option above, I checked the box. Created a policy rule to allow devices connecting to this SSID with an expired certificate to connect to the certificate (in a dACL associated to the rule) server in order to renew the certificate. This rule is placed in front of the original rule that authenticates these devices by certificate. This works. However, that checkbox is a global setting for all the policies that we are using for both wired and wireless clients. We have many other rules for clients to connect using certificates with other SSIDs and for wired connections as well. How can I create a separate "Allowed Protocols" with this checked and then only have it apply to one wireless SSID so that I don't impact any other certificate authentication?

Here is the link in the configuration guide: https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_segmentation.html#ID37

Search for "Table 11."

Attached is the tool tip right out of ISE 3.2.

Greg Gibbs · ‎09-10-2024

You could create a separate Policy Set for the SSID by using the 'RADIUS:Called-Station-ID ENDS_WITH' attribute and match on the new Allowed Protocols list. This is common practice for separating Policy Sets per SSID.

Example:

You would just need to ensure the WLC is passing the SSID name in the RADIUS Authentication/Accounting messages.

For the IOS-XE based 9800 WLC, this is configured in the Configuration > Security > AAA > AAA Advanced > Global Config section.
Example:

For the older AireOS based WLCs, the configuration is done on the Security > RADIUS > Authentication/Accounting pages.

View solution in original post

Greg Gibbs · ‎09-10-2024

You could create a separate Policy Set for the SSID by using the 'RADIUS:Called-Station-ID ENDS_WITH' attribute and match on the new Allowed Protocols list. This is common practice for separating Policy Sets per SSID.

Example:

You would just need to ensure the WLC is passing the SSID name in the RADIUS Authentication/Accounting messages.

For the IOS-XE based 9800 WLC, this is configured in the Configuration > Security > AAA > AAA Advanced > Global Config section.
Example:

For the older AireOS based WLCs, the configuration is done on the Security > RADIUS > Authentication/Accounting pages.

andrewdours · ‎09-11-2024

Greg,

Thank you. This is helpful and looks to be exactly what I was looking for. I'll run this by others on the team, schedule a maintenance window, and report back to this thread.

Thanks again,

Andrew

andrewdours · ‎10-08-2024

Greg,

Thanks for the help. Your post was the solution. The issue we had with regard to the ACL not applying was due to settings for the WLAN not being turned on as we had for the other WLANs. After making those changes, the entire solution is working well. Thanks again.

andrewdours · ‎10-01-2024

Wanted to put an update out here. I made the change on Monday and the devices landed on the correct policy, but now I have a major problem where the expired certificate rule wireless ACL is not being applied for the device connection... This wasn't happening before. Separate issue that I'll need to work through. Here's what I configured. It's cut off, but he Authorization Profile for the rule where the certificate is expired, should apply a wireless ACL that permits only access to our Mobile Iron server. That part is not working now.