cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
1
Helpful
2
Replies

Certificate Renewal Flow for Wired BYOD (Windows, Mac) endpoints

nved
Cisco Employee
Cisco Employee

We are working with a healthcare customer, which is looking to allow Personal Windows and Apple Macs access internal resources. Customer would like to implement EAP-TLS and Posture using AnyConnect Supplicant and AnyConnect Posture module. Not all endusers are IT savvy (large number of doctors and other medical practitioners).

Customer expects a simple self-registration process with too many manual steps and/or IT Support intervention. We have successfully implemented the following flow:

1. Endpoint connects using MAB and is redirected to a Guest Portal to start NSP flow

2. As part of NSP flow, machine certificate is provisioned on the endpoint

3. Endpoint is re-directed to CPP to download Cisco AnyConnect Supplicant and Posture module

4. Endpoint successfully connects to network using EAP-TLS

5. Endpoint is Postured and authorized

The above process works well, however customer would like to us to demonstrate/implement ISE flow for renewing expired/expiring machine certificates.

We are looking for a simple flow to implement the certificate renewal. Our initial thought was to check the certificate expiry period, if expiry is less than 15 day, the endpoint would be redirected to NSP flow and a new certificate will be installed on the client. We tested this flow, but found that there were two valid certs on the endpoint and user is asked to pick the correct cert.

Is there a way to configure NSP flow to delete the old cert before requesting the new cert.

Another option is to let the cert expire, at which time endpoint can be redirected to the NSP flow and a new cert can be installed.

2 Replies 2

paul
Level 10
Level 10

I know this isn't going to answer your questions, but having done many medical industry ISE installs I am cringing at what the customer is asking you to do.  Forcing client provisioning and posture assessment on doctors will be "interesting" for sure.  Since the doctors hold all the power in this scenario and generate the income for the hospital.  When they say "This is BS we aren't going to do this and we want our devices just to have access!" Guess who is going to win?

Hopefully that wont be the case for you.

I would look to other strategies like device registration or skip any sort of registration and put them behind a firewall and use SGT tags set by ISE to control exactly what internal apps each class of user can get to.  If they have AD credentials let them connect to a PEAP SSID with their credentials.  Using their credentials assign an SGT tag and use that tag on the firewall assuming your firewall support pxGrid integration.  If they do SGT based firewalling and only grant the exact access each class of users needs, then maybe they can skip posturing and client provisioning.

Again sorry for not answering your question, but wanted to give you some feedback from someone who has tried to walk this road before and have the scars to prove it.

Best of luck on the setup!

vibobrov
Cisco Employee
Cisco Employee

Hi Niten,

Which type of endpoints prompt for cert? Windows Native Supplicant has the option for simple certificate selection which avoids the prompt even with multiple certificates. You mention Anyconnect Supplicant, are you using NAM? I don't see a similar option in NAM. If you're ok with the native supplicant, simple certificate selection is enabled by default if i recall correctly.

The issue you may run into with expired certificates is that the supplicant may not even send it to ISE when it realizes that it is expired already.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: