ISE 1.2 and multiple certificates

Similar Messages

• ISE 1.2 and iPEP Certificate Requirements

  Hi,
  For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:
  Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.
  [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  Any thoughts?
  Thank you,
  Octavian

  The EKU validation has been removed in version 1.2
  "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."
  Source:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

• MomCertImport and multiple certificates

  I cannot find this information anywhere on the net. Here is the scenario.
  I have a fully deployed SCOM 2012 environment and multiple gateway servers that are functioning without any issues. Agents in the untrusted domains are reporting to the gateway servers as designed. The mutual authentication is working as designed as the
  certs use the same trusted Root Certificate Authority.
  Here is my question:
  I want to add another gateway server for a DMZ that doesnt use the same trusted Root Certificate Authority. In my lab I run the MomCertImport.exe on the gateway server. This works fine but when i run the MomCertImport.exe on the management server it replaces
  the current certificate int he registry which in turns breaks the other gateways. 
  What is the best supported approach to resolve this? Standing up more servers? Is this documented anywhere?

  I believe both the management server and gateway need to trust the same CA. However, theoretically, if these can both "see" each CA, you should be able to import the root ca chain on both machines and everything should pan out ok. If they cannot
  both see each CA, then I think you're out of luck - unless you opt for a internet trusted root ca, and that costs $.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Cisco ISE NDES EAP and HTTP certificates from different CA

  Hi guys, hope this is something you can help with…
  2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
  AD integration with customerdomain.local
  Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
  Corporate authentication is using EAP-TLS which is working fine
  BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>
  I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.
  As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.
  This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.
  Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.
  Thanks
  Andy

  I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine.  I am wondering if this is a certificate tier length issue.  My working example has a RootCA->IssuingCA->Cert.  It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.
  Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?
  Thanks

• ISE 1.3 and multiple authorization conditions

  I am building an ISE 1.3 box and I want to know if the following is doable
  I have an AD forrest that has several user groups configured 
  corporate
  BYOD
  demo
  What I want to do, is use these groups to assign wireless users to the correct VLAN based on membership of the above groups AND the type of device they are connecting from.
  e.g. user1 logs into the wireless network from a Mac.  And they belong to the corporate user group.  I would like them to be put on the corporate vlan.  
  However if they login from their IPhone device and also belong to the BYOD group, they get put on the BYOD VLAN that has restricted access.  
  I am assuming I should add user1 to both the corporate and BYOD AD groups, then use conditions to determine what kind of device they are using and then create an authorization profile to manage what VLAN they get dropped into.  Then use airespace acl to determine what resources they have access to.
  Unfortunately the interface has changed quite a bit from 1.2 to 1.3 and I am not sure if this is doable.

  Thanks Mark, this is essentially what I ended up doing.  I setup a new SSID to onboard the devices which I force them to a sponsored guest type of portal.  I ask them for AD credentials and then use the native supplicant to configure an EAP-TLS connection to the proper SSID.
  I did find out, from Cisco TAC, there is a new way to identify what VLAN the user should be put on. This is done in the Auth Profile.  You can use the directive "Airespace-Wlan-ID"
  In the provisioning process, I profile the device and check if it's a corporate asset or BYOD then I check to see if it belongs to the proper AD group, it gets a specific provisioning profile which includes the proper SSID for the vlan they want to connect to.  I then created a wlan for each of the vlans and attached it to the right interface on the WLC.  I created appropriate ACLs on the WLC then I named those ACL's in the Authorization proile.
  When the user goes through the provisioning process, they will be put on the proper WLAN based on AD membership and the type of device.  Only EAP-TLS connections are allowed on the Corp/Demo and BYOD networks.
  If user1 belongs to the Demo and BYOD AD Groups, their laptop will provision on the Demo Network and their IPhone will provision on the BYOD.
  The only gotcha is that if the user wants to change from one network to another, they need to re-provision their device.

• Web services and multiple certificates

  I originally posted this question in the SOA forum, but someone suggested this forum as well. So, here we go...
  Hi, I am trying to consume a secure web service on ECC 6.0 - so far without much luck.
  When I try to connect to the ws server, it seems there are three certificates in action: a CICS certificate for establishing the SSL connection, a 'root' certificate from the PKI certificate issuer, and a private certificate issued by the above issuer (please forgive me if a have the syntax wrong - certificates are not my primary line of work). So, using Trust Manager (STRUST), I have created a PSE named 'OES' and imported all three certificates into it.
  In SOAMANAGER I have set up the end-point using the WSDL-file and set the following parameters:
  - Authentication Method = X.509 Client Certificate
  - Trustworthiness Method = Holder of Key
  - Issuer = <issuer from the root certificate>
  - Name of Attester = <blank>
  - Validity of SAML Assertion = 180
  - Caching of SAML Assertions = False
  - Attester System Destination = <blank>
  - Name of Attester = <blank>
  - User = SRxxxWS
  - Password = <blank>
  - Client PSE = OES
  When I try to consume the web service, I can see in the log files that the CICS certificat is used for establishing the SSL connection but all I receive back is an HTTP 403 "Client Authentication Error". If I remove the CICS certificate from the PSE, the connection is not made.
  How do I make the client certificate available for the connection? Have I approached the problem from the wrong side? Has anybody experienced something similar? Any help will be highly appreciated.
  Thanks,
  Bo

  Thanks for the reply! I'm no expert either, that's why I'm
  here!
  Yes, the certificate for the server is loaded. I'm doing this
  all on one machine, so I just loaded it's own server certificate
  into the trust store. The problem is the server is protected by
  client authentication via certificates. I guess I'm relating this
  to a regular request, where if you have a server that requires
  certificates, you can pass along the cert in an CFHTTP call with
  clientCert parameter. Here we are calling a page that invokes the
  web service which is really another request. This is where the
  issue is, since I don't see how to send along the certificate
  information in the invoke call.
  Thanks for the help!

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

• ISE EAP SSL/TLS Tunneling Certificates

  Hi,
  I am working on an ISE implementation that is going to perform authentcation accross several domains using LDAP. The domains that I have in my environment are a production and pre-production/testing domains. Currently my ISE appliances are joined to the production AD and are using certificates from the CA in our production AD. The problem I am having is I can only assign one Local Certificate for use for SSL/TLS tunneling for EAP authentcations. This means that when I try and authenticate a device that is not part of the production active directory (pre-production), using the seperate LDAP instance as an identity store, its attempting to create a tunnel using a cert that is not from the pre-production CA, and thus fails with the following error...
  Authentication failed :
  12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  This is because the device built in pre-production does not have the production CA's as trusted entites. My question is, is it possible to define multiple certificates from seperate CA's for use for SSL/TLS tunneling?
  Cheers

  Hello,
  This error means that the supplicant does not trust the ISE PSN certificate.
  Resolution:
  Check whether the proper server certificate is installed and configured for EAP
  by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ).
  Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more
  information.

• Multiple Certificates for the same WLS

  Hi,
  IHAC who asks the following:
  Background
  Bigshop Limited carried out a soft launch of our e-tailing website under
  the
  url fonzie.bigshop.com.au
  We have a verisign certificate setup up for 128 bit ssl under the
  knownname
  fonzie.bigshop.com.au
  All ssl connections that connect to the site with this url are able to
  establish an SSL session.
  Current Issue
  Bigshop is now in the process of carrying out the public launch of the
  website. The public url for the website will be www.bigshop.com.au
  We have generated new public/private key pair and a Certificate Signing
  Request (CSR) and have ordered a new certificate from verisign
  Could you please advise if it is possible to operate two certificates
  for
  the one server. This will allow our www.bigshop.com.au and
  fonzie.bigshop.com.au url's to operate concurrently and enable both to
  establish SSL session with valid certificates.
  Is what they want to do possible ?? any suggestions
  appreciated,
  regards,
       Patrick.

  Did you ever figure out how to use multiple certificates to the sameserver? I have a need to do this also. Thanks a lot.
  In current versions of weblogic (5.1,6.x,7.0,8.1), you can configure only
  one certificate per server.
  -utpal

• Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?

  Is it possible to use certutil to export multiple certificates from a local client machine store, to a .p7b file?
  Scenario: We have a few legacy certificates based on some legacy templates (2012 R2). Some belong to an old SubCA (2008 R2).
  I’ve can manually export them using certmgr mmc on the local machine to a single .p7b e.g.
  cert_backupNEW.p7b. But this is not a practical solution for me and I want to achieve this remotely via certutil or some other util that comes with Windows 7 machines.
  I’ve already worked out how to run a certutil command to add the certs back into the store e.g.
  certutil.exe -addstore -f my cert_backupNEW.p7b
  Is there a way to export multiple certs to a single backup cert, or is what I’m trying to do not possible with multiple certs?
  TC

  Something like this:
  $store = New-Object Security.Cryptography.X509Certificates.X509Store "my","localmachine"
  $store.Open("ReadOnly")
  Set-Content -Path exportedcerts.pfx -Value $store.Certificates.Export("pfx","password")
  $store.Close()
  note that this command will fail, if there are certificates with non-exportable keys. You cannot export certificates with non-exportable keys.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• ISE 1.3 and NAC

  I have a customer running 5508 WLCs across the estate, and I'm retrofitting IEEE802.1x authentication for the corporate WLAN, and WebAuth for the Guest WLAN...they have PSK at the moment :(
  They have AD and are showing great interest in ISE and NAC, so my immediate thoughts are to integrate ISE with AD, and use ISE as the RADIUS server for .1x on the WLC. Then use the WLC and ISE to do WebAuth for Guest...This is all standard stuff, but it gives the background.
  Now we get to the interesting bit...they want to run BYOD. They are involved in financial markets, so the BYOD needs to be tightly controlled. They are asking about ISE coupled with NAC, but I'm not convinced I need NAC since the arrival of ISE1.3. Obviously, I will be looking at three (min) SSIDs, namely corporate, guest and BYOD, all logically separate. I don't need anything that ISE 1.2 can't support on corporate and guest, but BYOD needs full profiling and either barring or device remediation before access to the net.
  Has anyone got any comments or suggestions? Is ISE 1.3 sufficiently NAC-like that I don't need it any more, or if that's not the case, what additional benefits does it bring that ISE can't support
  Thanks for any advice/comments/experiences
  Jim

  Hi Jim-
  Version 1.3 offers a built-in PKI and vastly improved guest services experience. The internal PKI is nice if the customer doesn't have an PKI solution in place. Keep in mind though that the internal ISE PKI can only issue certificates to BYOD devices that were on-boarded via the ISE BYOD "flow" So you cannot use the ISE PKI to issue certs to domain computers.
  With regards to NAC: You will have to clarify exactly what is needed here. If you needed to perform "posture assessment" then ISE can do it for Windows and OSX based machines. You can check for things like: A/V, A/S, Firewall Status, Windows Patches, etc. If you want to perform posture on mobile devices then you will need to integrate ISE with an MDM (Mobile Device Management) solution such as: Airwatch, Mobile Iron, Maas360, etc. ISE can query the MDM for things like: Is the device protected with a PIN, is the device rooted, is the device encrypted, etc.
  I hope this helps!
  Thank you for rating helpful posts!

• Multiple certificate stored in Browser

  I run certificate request using https://.../oca/sso_oca_link and also /oca/user.
  eg. with these User DN:
  => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
  => cn=tova,cn=users,dc=subdom,dc=mydomain,dc=com
  => cn=ferry,cn=users,dc=subdom,dc=mydomain,dc=com
  By requesting certificate several times from the same PC using several user account, have result in multiple certificate stored in Browser.
  When visit my secure web using Internet Explorer 6, a window raised and lists these
  "users"
  "users"
  "users"
  By using Netscape Navigator 7.1: a window appear with a bit more information display
  "users's myOrganisation"
  "users's myOrganisation"
  "users's myOrganisation"
  and some explanation eg
  Issued to:
  Subject: CN=ferry, CN=users, DC=subdom, DC=domain, DC=com
  Serial Number: 1C
  Valid from 23/09/2005 14:53:42 to 23/09/2006 14:53:42
  Issued by:
  Subject: CN=MyCcertificate Authority,...
  How to display USER NAME (according to CN) in the list instead of "users" ?
  or this is the expected behaviour?
  TIA,
  ferry

  Ok. I've found the solution.
  For reference to all you guys:
  ByteArrayInputStream bais = new ByteArrayInputStream( (byte[])attr.get() );
  CertificateFactory cf = CertificateFactory.getInstance("X.509");
  cert = (X509Certificate)cf.generateCertificate(bais);