Lab Minutes Forum

Technical Discussion => Security => Topic started by: tyronkemp on June 08, 2016, 03:56:57 AM

Title: ISE Endpoint Certificate provisioning
Post by: tyronkemp on June 08, 2016, 03:56:57 AM
Hi

End Goal:

I need to implement a standalone ISE deployment without external PKI that will do machine authentication for mobile devices.  The authentication needs to be EAP-TLS only.  No need for AD integration etc.

Start Point:

I am new to ISE and still busy learning the supported technologies. 
I have configured wired 802.1X PEAP authentication without any problems. 
My next step is to configure wired 802.1x EAP-TLS and from there I will start looking at the BYOD portals etc...

I am unable to find documentation/vidoes that show me how to provision endpoint certificates using ISE 2.0 (ISE needs to do all the PKI for this project)

Please assist provisioning endpoint certificates using ISE 2.0

Thanks
Title: Re: ISE Endpoint Certificate provisioning
Post by: MC on June 13, 2016, 09:52:03 PM
There are 3 ways for endpoint to get client cert from ISE internal CA
1. Going through BYOD onboarding
http://www.labminutes.com/sec0189_ise_13_byod_wireless_onboarding_single_ssid_internal_ca_1
http://www.labminutes.com/sec0190_ise_13_byod_wireless_onboarding_dual_ssid_internal_ca_1
2. Over AnyConnect VPN and SCEP
http://www.labminutes.com/sec0213_ise_20_internal_ca_scep_anyconnect_vpn_1
3. Over certificate provisioning portal
http://www.labminutes.com/sec0212_ise_20_certificate_privisioning_portal_1

If you are dealing with large number of endpoint, I would suggest looking into MDM. Some MDM like Meraki System Manager has built-in CA that you can use to generate client cert with much simpler process than the three methods described above.
Title: Re: ISE Endpoint Certificate provisioning
Post by: tyronkemp on July 04, 2016, 08:11:06 AM
Hi

I have configured the BYOD portal and am under the impression that I have run into an SSL trust issue (https://supportforums.cisco.com/discussion/12163246/ise-cannot-push-profile-cisco-network-setup-assistant)

2016.07.04 13:58:24 ERROR:DownloadprofileAsynchTask
2016.07.04 13:58:24 ERROR:java.io.IOException: Hostname 'ise-lab.ise.local' was not verified
2016.07.04 13:58:24 ERROR:Hostname 'ise-lab.ise.local' was not verified
2016.07.04 13:58:24 INFO:Internal system error.

I don't have an internal ADCS or other PKI system in place, nor do I plan to purchase SSL certificates.  Please advise how to install the ISE interal root CA on my mobile device.

Regards,

Tyron
Title: Re: ISE Endpoint Certificate provisioning
Post by: MC on July 09, 2016, 04:39:47 PM
ISE internal root CA cert should be installed during onboarding right before the client cert. What mobile device are you using?
Title: Re: ISE Endpoint Certificate provisioning
Post by: tyronkemp on July 13, 2016, 04:53:47 AM
Various Android Devices
Title: Re: ISE Endpoint Certificate provisioning
Post by: MC on July 17, 2016, 10:19:31 PM
Try to use the latest version of Cisco Network Setup Assistance if not already. Also make sure ISE FQDN is resolvable by DNS and you have http/https allowed but redirected by the redirect URL. BTW, what happen is you try with an iOS device like iphone for example. You don't need a publicly signed cert to get this to work.
SimplePortal 2.3.7 © 2008-2024, SimplePortal