ISE Clients Expired Certificate

de1denta · ‎06-13-2018

Hi All,

I'm currently designing an ISE deployment that will use EAP-TLS authentication with a Microsoft CA assigned certificates and I want to clarify the behaviour when the client certificate expires. Does ISE carry out basic checks such as certificate expiry etc? If so, what is the best solution to identify expired certificates and allow clients to connect to a remediation network to renew the certificate?

Ideally we would configure AD to automatically renew expiring certificates early, however, we have a large number of users outside of the office that do not regularly connect to the VPN/LAN so their certificates may expire resulting in failed authentication when they do return to the office.

Should this be a concern?

Thank you

Rob Ingram · ‎06-13-2018

Hi,
If configured the Windows GPO should be configured to auto renew at least 2-3 months before expiration. If needs be you can configure ISE to accept expired certificates.

Go to - Policy > Policy Elements > Results > Authentication > Allowed Protocols > Default Network Access (or whatever new allowed protocols list you are using). Under Allow EAP-TLS, tick the box to allow expired certificates.

You can add conditions in an authorization rule such as CERTIFICATE Days to Expire (Value) and CERTIFICATE Is Expired (TRUE|FALSE) and then you could create a specific rule if a certificate is expired apply a DACL and only allow access to limited resources (AD to sync GPO). If certificate has not expired they'd hit the normal rules.

HTH