collapse

Promotion

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: ISE wireless onboarding certificate problems  (Read 2957 times)

Offline savoier

  • Cisco Newbie
  • *
  • Posts: 2
  • Reputation: 0
    • View Profile
  • Certification: N/A
ISE wireless onboarding certificate problems
« on: August 22, 2014, 06:17:52 AM »
Hi,

we are in the process of setting ISE for wireless onboarding with a single SSID but we are running into the following problem. the windows machine will not accept the certificate from our local microsoft enterprise CA server because it is not in the trusted list. is there a solution to this problem without adding the CA server to the trusted list manually?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 362
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE wireless onboarding certificate problems
« Reply #1 on: August 24, 2014, 12:28:49 PM »
The short answer is probably no. If you are dealing with Windows computer, when the user try to connect to SSID, they should be prompted about the untrusted certificate and to choose to terminate or connect, although I have seen where this does not happen also so you might see inconsistent behavior.

Otherwise, here are options you have are
1. Make your internal root CA certificate available to the users so they can install it and have it trusted in the wireless profile.
2. Have ISE use a certificate that is signed by trusted 3rd party CA so user do not need to install the certificate but only have the 3rd party root CA trusted in the wireless profile.
3. Disable certificate verification altogether on wireless profile

Regardless of the methods, you will probably have to include the detail steps in your user onboarding instruction.

Offline savoier

  • Cisco Newbie
  • *
  • Posts: 2
  • Reputation: 0
    • View Profile
  • Certification: N/A
Re: ISE wireless onboarding certificate problems
« Reply #2 on: August 25, 2014, 05:20:45 AM »
Thank You MC for your reply  :)

On option number 2 would you have any detail instruction on how to do this? We currently have comodo certs on our 2 policy nodes.


Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 362
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE wireless onboarding certificate problems
« Reply #3 on: August 26, 2014, 06:23:00 PM »
For Windows7/8, under the wireless profile > Security > Settings > Trusted Root Certification Authorities section: find the Comodo root CA cert that issued your cert that you want the client to trust and check the box. If you do not see the cert, you will need to install it.

Offline ozone007

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: CCNA
Re: ISE wireless onboarding certificate problems
« Reply #4 on: February 09, 2015, 11:00:43 AM »
You are not allowed to view links. Register or Login
For Windows7/8, under the wireless profile > Security > Settings > Trusted Root Certification Authorities section: find the Comodo root CA cert that issued your cert that you want the client to trust and check the box. If you do not see the cert, you will need to install it.

I m having same issue now i am deploying ISE 1.3 still this procedure valid for external CA

what i have in mind is generate certificate and send them that certificate then they will send us some signed certificate that we need to bind with generated ISE cert right ?

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 362
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE wireless onboarding certificate problems
« Reply #5 on: February 09, 2015, 08:14:40 PM »
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
For Windows7/8, under the wireless profile > Security > Settings > Trusted Root Certification Authorities section: find the Comodo root CA cert that issued your cert that you want the client to trust and check the box. If you do not see the cert, you will need to install it.

I m having same issue now i am deploying ISE 1.3 still this procedure valid for external CA

what i have in mind is generate certificate and send them that certificate then they will send us some signed certificate that we need to bind with generated ISE cert right ?
What you just described is how to install server certificate on ISE. The post is about how to have the BYOD client trust ISE certificate which is the client-side setting

Offline ozone007

  • Cisco Newbie
  • *
  • Posts: 8
  • Reputation: 0
    • View Profile
  • Certification: CCNA
Re: ISE wireless onboarding certificate problems
« Reply #6 on: February 14, 2015, 04:46:06 AM »
As i discussed with client they don't want to go for Purchasing new cert , so i decided to disable cert check , how this can be achieved
Quote
on ISE 1.3  as on client side by default validate cert option is checked

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 362
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
    • View Profile
  • Certification: CCIE
Re: ISE wireless onboarding certificate problems
« Reply #7 on: February 15, 2015, 11:22:24 PM »
You are not allowed to view links. Register or Login
As i discussed with client they don't want to go for Purchasing new cert , so i decided to disable cert check , how this can be achieved on ISE 1.3  as on client side by default validate cert option is checked
There is nothing you can do on ISE to force user device whether to trust or not validate the server cert as those are client settings. An alternative would be to use dual SSID so that way, user has an option to accept the server cert during cert warning on the browser when they connect to onboarding SSID.

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
3101 Views
Last post October 21, 2013, 01:18:04 AM
by chocolate777
10 Replies
4957 Views
Last post November 10, 2013, 05:57:10 PM
by MC
1 Replies
1757 Views
Last post May 21, 2014, 07:53:57 AM
by MC
1 Replies
318 Views
Last post May 19, 2017, 02:32:06 PM
by MC
1 Replies
130 Views
Last post September 18, 2017, 08:52:26 PM
by Administrator

SimplePortal 2.3.5 © 2008-2012, SimplePortal