View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0187 - ISE 1.3 Internal Certificate Authority (CA) Setup (Part 1)

Rating: 
5
Average: 5 (2 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video discusses and demonstrates different deployment models of Cisco ISE 1.3 Internal Certificate Authority. We will be setting up ISE internal CA, both as a standalone and intermediate CA, and creating certificate template to issue client certificate for our next BYOD labs. We will also touch on the significance of, and demonstrate certificate keypair export and import to other ISE nodes in the deployment.

Part 1 of this video talks about deployment models and configures ISE as a standalone CA

Topic:

  • ISE Internal CA; Standalone Root, Intermediate, Disabled
  • ISE Root CA
  • ISE Intermediate CA
  • ISE Certificate Template
  • Repository
  • Certificate Keypair Export/Import
  • ISE Integration with External SCEP Server

 

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

4 comments

I`m planning to auto issue certificate to employee machines, then i can use EAP chaining,
Q1-can i use that using ISE internal CA for that?
Q2-can i use BYOD with employee domain-machines ?

Thanks alot for help.

1. No. ISE Internal CA as of 1.4 is only for device that goes through onboarding flow. plus the issued cert is a user cert and not a machine cert.
2. You can put any supported device through onboarding but it just would not make sense for domain computer since BYOD is meant for personal devices.

Hi, sorry but it is a user cert? I can see in the cert template that the SAN is the MAC address of the device. Isn't that a machine cert?

Thanks,

It is a user cert. The MAC address inserted into SAN is informational. You can use it to cross check with the actual endpoint MAC address in case the user somehow export the cert and try to use it on another device.