1 Reply Latest reply: Dec 6, 2017 12:20 PM by kthiruve RSS

Cisco ISE Allowing Expired Endpoint Certificates

khalid_mahmood@computacenter.com

We have a unique situation where we have a customer deployment where Windows machines are built with a machine certificate and stored in various locations ready for deployment. However the Issuing certificate Server expires soon, which means that these machine certificates would have expired before they are unboxed and allowed to do the normal certificate auto enrolment.  Cisco ISE will deny access by default to expired certificates, which is the default behaviour as i understand it, see extract below

 

"

User and Endpoint Certificate Renewal

By default, Cisco ISE rejects a request that comes from a device whose certificate has expired. However, you can change this default behavior and configure ISE to process such requests and prompt the user to renew the certificate."

 

Question 1 - Is this for the ISE internal CA issued certs or any Organisation CA certs?

 

Question  2 - I found an article which says you can change this by looking at the "CertRenewalRequired" Authorisation, will this work for a Organisations Microsoft CA issued certs, i..e Mycompany.com CA server cert on client, can we permit access to if the cert is expired using this authorisation check.



"Authorization Policy Condition for Certificate Renewal

You can use the CertRenewalRequired simple condition (available by default) in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further."

Thanks Khalid

  • 1. Re: Cisco ISE Allowing Expired Endpoint Certificates
    kthiruve

    Khalid,

     

    Machine authentication with certs is used with 802.1x  and Microsoft(MS) CA typically. Your MS CA infrastructure is integrated with AD. ISE internal CA will work with BYOD devices and cannot be used for 802.1x machine authentication.

     

    Cert renewal policy conditions typically apply to internal CA. If you have an external CA, ISE does request in cert renewal if it is a SCEP proxy or configured as RA. Again this is applicable only for BYOD flow.

     

    So your best option at this point is not to use machine auth using certs and may be use machine credentials since this is already part of AD I assume. Then re-enroll your machines for certificate once the CA server is corrected.

     

    Thanks

    Krishnan