cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2753
Views
2
Helpful
1
Replies

Cisco ISE Allowing Expired Endpoint Certificates

khalid_mahmood
Level 4
Level 4

We have a unique situation where we have a customer deployment where Windows machines are built with a machine certificate and stored in various locations ready for deployment. However the Issuing certificate Server expires soon, which means that these machine certificates would have expired before they are unboxed and allowed to do the normal certificate auto enrolment.  Cisco ISE will deny access by default to expired certificates, which is the default behaviour as i understand it, see extract below

"

User and Endpoint Certificate Renewal

By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate."

Question 1 - Is this for the ISE internal CA issued certs or any Organisation CA certs?

Question  2 - I found an article which says you can change this by looking at the "CertRenewalRequired" Authorisation, will this work for a Organisations Microsoft CA issued certs, i..e Mycompany.com CA server cert on client, can we permit access to if the cert is expired using this authorisation check.



"Authorization Policy Condition for Certificate Renewal

You can use the CertRenewalRequired simple condition (available by default) in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further."

Thanks Khalid

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Khalid,

Machine authentication with certs is used with 802.1x  and Microsoft(MS) CA typically. Your MS CA infrastructure is integrated with AD. ISE internal CA will work with BYOD devices and cannot be used for 802.1x machine authentication.

Cert renewal policy conditions typically apply to internal CA. If you have an external CA, ISE does request in cert renewal if it is a SCEP proxy or configured as RA. Again this is applicable only for BYOD flow.

So your best option at this point is not to use machine auth using certs and may be use machine credentials since this is already part of AD I assume. Then re-enroll your machines for certificate once the CA server is corrected.

Thanks

Krishnan

View solution in original post

1 Reply 1

kthiruve
Cisco Employee
Cisco Employee

Khalid,

Machine authentication with certs is used with 802.1x  and Microsoft(MS) CA typically. Your MS CA infrastructure is integrated with AD. ISE internal CA will work with BYOD devices and cannot be used for 802.1x machine authentication.

Cert renewal policy conditions typically apply to internal CA. If you have an external CA, ISE does request in cert renewal if it is a SCEP proxy or configured as RA. Again this is applicable only for BYOD flow.

So your best option at this point is not to use machine auth using certs and may be use machine credentials since this is already part of AD I assume. Then re-enroll your machines for certificate once the CA server is corrected.

Thanks

Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: