Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
1
Helpful
3
Replies

ISE EAP authentication Certificate questions

Go to solution
JG1978
Level 1
Level 1

‎05-17-2023 10:40 AM

I am having a bit of trouble grasping something regarding Certificate authentication with ISE.

In our current deployment we have imported our Cert chain signed by our Root CA into Trusted certificates store.

We have setup our wireless authentication process to use the AD provided Machine certificate to compare to AD and allow or deny based on finding the device in AD.

What confuses me is that under System certificates in ISE, we have a SAN cert for all our nodes and its function is listed as Admin, EAP authentication and Radius DTLS. It is set to expire soon and will need to be renewed. This cert was provided by our windows admins and is signed by our Cert issuing CA. I don't see how this cert is used for our wireless authentication process as in my mind when the Laptops authenticate, its using the Machine cert and comparing it to our AD to find a match and since our cert chain is part of Trusted certificates the laptops trust ISE already and ISE trusts our AD environment.

Is the EAP authentication cert listed under System only used if you are pushing the cert from ISE itself for onboarding purposes? If we let this cert expire will our wireless authentication process stop working? I have read the guides but I am just having a hard time with this particular detail so looking for any clarifications.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-17-2023 10:50 AM

@JG1978 its the EAP authentication certificate on ISE that must be trusted by the client computer to successfully authenticate the endpoints.

"If the client trusts the certificate, the TLS tunnel is formed. The client’s credentials are not sent to the server until after this tunnel is established, thereby ensuring a secure exchange. In a Secure Access deployment, the client is a supplicant, and the server is an ISE Policy Services node." - From the ISE certificates guide - https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

ISE will perform a lookup against AD (if required) during authorisation (after authentication) to determine any attributes

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-17-2023 10:50 AM

@JG1978 its the EAP authentication certificate on ISE that must be trusted by the client computer to successfully authenticate the endpoints.

"If the client trusts the certificate, the TLS tunnel is formed. The client’s credentials are not sent to the server until after this tunnel is established, thereby ensuring a secure exchange. In a Secure Access deployment, the client is a supplicant, and the server is an ISE Policy Services node." - From the ISE certificates guide - https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

ISE will perform a lookup against AD (if required) during authorisation (after authentication) to determine any attributes

 

Go to solution
JG1978
Level 1
Level 1
In response to Rob Ingram

‎05-17-2023 12:04 PM

Ok thank you, so it is needed even though the Machine cert is compared to the AD device look up.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to JG1978

‎05-17-2023 12:06 PM

@JG1978 yes the EAP authentication certificate is certainly needed and must be trusted by the client device.

0 Helpful
Customers Also Viewed These Support Documents