Lab Minutes Forum

Technical Discussion => Security => Topic started by: savoier on August 22, 2014, 06:17:52 AM

Title: ISE wireless onboarding certificate problems
Post by: savoier on August 22, 2014, 06:17:52 AM
Hi,

we are in the process of setting ISE for wireless onboarding with a single SSID but we are running into the following problem. the windows machine will not accept the certificate from our local microsoft enterprise CA server because it is not in the trusted list. is there a solution to this problem without adding the CA server to the trusted list manually?
Title: Re: ISE wireless onboarding certificate problems
Post by: MC on August 24, 2014, 12:28:49 PM
The short answer is probably no. If you are dealing with Windows computer, when the user try to connect to SSID, they should be prompted about the untrusted certificate and to choose to terminate or connect, although I have seen where this does not happen also so you might see inconsistent behavior.

Otherwise, here are options you have are
1. Make your internal root CA certificate available to the users so they can install it and have it trusted in the wireless profile.
2. Have ISE use a certificate that is signed by trusted 3rd party CA so user do not need to install the certificate but only have the 3rd party root CA trusted in the wireless profile.
3. Disable certificate verification altogether on wireless profile

Regardless of the methods, you will probably have to include the detail steps in your user onboarding instruction.
Title: Re: ISE wireless onboarding certificate problems
Post by: savoier on August 25, 2014, 05:20:45 AM
Thank You MC for your reply  :)

On option number 2 would you have any detail instruction on how to do this? We currently have comodo certs on our 2 policy nodes.

Title: Re: ISE wireless onboarding certificate problems
Post by: MC on August 26, 2014, 06:23:00 PM
For Windows7/8, under the wireless profile > Security > Settings > Trusted Root Certification Authorities section: find the Comodo root CA cert that issued your cert that you want the client to trust and check the box. If you do not see the cert, you will need to install it.
Title: Re: ISE wireless onboarding certificate problems
Post by: ozone007 on February 09, 2015, 11:00:43 AM
You are not allowed to view links. Register or Login
For Windows7/8, under the wireless profile > Security > Settings > Trusted Root Certification Authorities section: find the Comodo root CA cert that issued your cert that you want the client to trust and check the box. If you do not see the cert, you will need to install it.

I m having same issue now i am deploying ISE 1.3 still this procedure valid for external CA

what i have in mind is generate certificate and send them that certificate then they will send us some signed certificate that we need to bind with generated ISE cert right ?
Title: Re: ISE wireless onboarding certificate problems
Post by: MC on February 09, 2015, 08:14:40 PM
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
For Windows7/8, under the wireless profile > Security > Settings > Trusted Root Certification Authorities section: find the Comodo root CA cert that issued your cert that you want the client to trust and check the box. If you do not see the cert, you will need to install it.

I m having same issue now i am deploying ISE 1.3 still this procedure valid for external CA

what i have in mind is generate certificate and send them that certificate then they will send us some signed certificate that we need to bind with generated ISE cert right ?
What you just described is how to install server certificate on ISE. The post is about how to have the BYOD client trust ISE certificate which is the client-side setting
Title: Re: ISE wireless onboarding certificate problems
Post by: ozone007 on February 14, 2015, 04:46:06 AM
As i discussed with client they don't want to go for Purchasing new cert , so i decided to disable cert check , how this can be achieved
Quote
on ISE 1.3  as on client side by default validate cert option is checked
Title: Re: ISE wireless onboarding certificate problems
Post by: MC on February 15, 2015, 11:22:24 PM
You are not allowed to view links. Register or Login
As i discussed with client they don't want to go for Purchasing new cert , so i decided to disable cert check , how this can be achieved on ISE 1.3  as on client side by default validate cert option is checked
There is nothing you can do on ISE to force user device whether to trust or not validate the server cert as those are client settings. An alternative would be to use dual SSID so that way, user has an option to accept the server cert during cert warning on the browser when they connect to onboarding SSID.
SimplePortal 2.3.7 © 2008-2024, SimplePortal