ISE Dot1.x Certificates and OCSP

netops4 · ‎04-12-2024

So I'd like to use ISE to authenticate then authorise a device based on an external CA presented during 802.1x. I'd also like ISE to use an OCSP check for the validity of this cert.

What are the steps to get this to work? Do i need to import the root ca into ISE? How do i configure ISE to use OCSP?

What would the authentication match statement look like?

Rob Ingram · ‎04-12-2024

@netops4 you import the root certificate to ISE "trusted certificates" under that certificate you configure certificate status validation to use OCSP.

For AuthC match you can match on EAP-TLS, for AuthZ you can match on an attribute from the certificate (certificate template, issuer etc).

If you want to perform a lookup against AD you can also use a Certificate Authentication Profile (CAP).

glsparks · ‎04-17-2024

If its a distributed deployment of ISE. Is it just a case of literally importing the root ca to the Primary Admin node? Or do i need to do somehow get the cert onto all the PSNs too?

Aref Alsouqi · ‎04-17-2024

You just need to do that on the PAN.

MHM Cisco World · ‎04-12-2024

https://networkwizkid.com/working-with-certificate-revocation-lists-and-cisco-ise/

Check this

MHM