Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 181

    Page 181 •sponsor.ise.company.local Wildcard Certificate Compatibility WildcardcertificatesareusuallycreatedwiththewildcardlistedastheCommonName(CN)oftheCertificate Subject.CiscoISEsupportsthistypeofconstruction.However,notallendpointsupplicantssupportthe wildcardcharacterintheCertificateSubject. AllMicrosoftnativesupplicantstested(includingWindowsMobile)donotsupportwildcardcharacterinthe CertificateSubject. Youcanuseanothersupplicant,suchasCiscoAnyConnectNetworkAccessManager(NAM)thatmight... 
    •sponsor.ise.company.local
Wildcard Certificate Compatibility
WildcardcertificatesareusuallycreatedwiththewildcardlistedastheCommonName(CN)oftheCertificate
Subject.CiscoISEsupportsthistypeofconstruction.However,notallendpointsupplicantssupportthe
wildcardcharacterintheCertificateSubject.
AllMicrosoftnativesupplicantstested(includingWindowsMobile)donotsupportwildcardcharacterinthe
CertificateSubject.
Youcanuseanothersupplicant,suchasCiscoAnyConnectNetworkAccessManager(NAM)thatmight...

    Page 182

    Page 182 2SubmitittoaCertificateAuthority(CA) 3Obtainthesignedcertificate 4ImporttherelevantrootandintermediateCAcertificatesintotheTrustedCertificatesStore 5BindthesignedcertificatewiththeCSR View System Certificates TheSystemCertificatepagelistsallthesystemcertificatesaddedtoCiscoISE. Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates.... 
    2SubmitittoaCertificateAuthority(CA)
3Obtainthesignedcertificate
4ImporttherelevantrootandintermediateCAcertificatesintotheTrustedCertificatesStore
5BindthesignedcertificatewiththeCSR
View System Certificates
TheSystemCertificatepagelistsallthesystemcertificatesaddedtoCiscoISE.
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step 1ChooseAdministration>System>Certificates>SystemCertificates....

    Page 183

    Page 183 Before You Begin •Ensurethatyouhavethesystemcertificateandtheprivatekeyfileonthesystemthatisrunningthe clientbrowser. •IfthesystemcertificatethatyouimportissignedbyanexternalCA,importtherelevantrootCAand intermediateCAcertificatesintotheTrustedCertificatesStore(Administration>System>Certificates >TrustedCertificates). •CiscoISEdoesnotsupportcertificatesthataresignedwithahashalgorithmgreaterthanSHA-256. Hence,youmustnotimportaservercertificatethatissignedwithahashalgorithmgreaterthanSHA-256.... 
    Before You Begin
•Ensurethatyouhavethesystemcertificateandtheprivatekeyfileonthesystemthatisrunningthe
clientbrowser.
•IfthesystemcertificatethatyouimportissignedbyanexternalCA,importtherelevantrootCAand
intermediateCAcertificatesintotheTrustedCertificatesStore(Administration>System>Certificates
>TrustedCertificates).
•CiscoISEdoesnotsupportcertificatesthataresignedwithahashalgorithmgreaterthanSHA-256.
Hence,youmustnotimportaservercertificatethatissignedwithahashalgorithmgreaterthanSHA-256....

    Page 184

    Page 184 Togenerateaself-signedcertificatefromasecondarynode,chooseAdministration>System>Server Certificate. Step 2ClickGenerateSelfSignedCertificateandenterthedetailsintheGenerateSelfSignedCertificatepage. Step 3CheckthecheckboxesintheUsageareabasedontheserviceforwhichyouwanttousethiscertificate. Step 4ClickSubmittogeneratethecertificate. Torestartthesecondarynodes,fromtheCLI,enterthefollowingcommandsinthegivenorder: a)applicationstopise b)applicationstartise Edit a System Certificate... 
    Togenerateaself-signedcertificatefromasecondarynode,chooseAdministration>System>Server
Certificate.
Step 2ClickGenerateSelfSignedCertificateandenterthedetailsintheGenerateSelfSignedCertificatepage.
Step 3CheckthecheckboxesintheUsageareabasedontheserviceforwhichyouwanttousethiscertificate.
Step 4ClickSubmittogeneratethecertificate.
Torestartthesecondarynodes,fromtheCLI,enterthefollowingcommandsinthegivenorder:
a)applicationstopise
b)applicationstartise
Edit a System Certificate...

    Page 185

    Page 185 Procedure Step 1ChooseAdministration>System>Certificates>SystemCertificates. Step 2CheckthecheckboxnexttothecertificatethatyouwanttoexportandthenclickExport. Step 3Choosewhethertoexportonlythecertificate,orthecertificateanditsassociatedprivatekey. Wedonotrecommendexportingtheprivatekeyassociatedwithacertificatebecauseitsvaluemay beexposed.Ifyoumustexportaprivatekey(forexample,whenyouexportawildcardsystem certificatetobeimportedintotheothernodesforinter-nodecommunication),specifyanencryption... 
    Procedure
Step 1ChooseAdministration>System>Certificates>SystemCertificates.
Step 2CheckthecheckboxnexttothecertificatethatyouwanttoexportandthenclickExport.
Step 3Choosewhethertoexportonlythecertificate,orthecertificateanditsassociatedprivatekey.
Wedonotrecommendexportingtheprivatekeyassociatedwithacertificatebecauseitsvaluemay
beexposed.Ifyoumustexportaprivatekey(forexample,whenyouexportawildcardsystem
certificatetobeimportedintotheothernodesforinter-nodecommunication),specifyanencryption...

    Page 186

    Page 186 registeringdevice,andthenforwardstherequesttoanexternalCAortheinternalCiscoISECA,which issuestheclientcertificate.TheCAsendsthecertificatebacktotheRA,whichreturnsittothedevice. EachSCEPCAusedbyCiscoISEisdefinedbyaSCEPRAProfile.WhenaSCEPRAProfileiscreated, twocertificatesareautomaticallyaddedtotheTrustedCertificatesStore: ◦ACAcertificate(aself-signedcertificate) ◦AnRAcertificate(aCertificateRequestAgentcertificate),whichissignedbytheCA.... 
    registeringdevice,andthenforwardstherequesttoanexternalCAortheinternalCiscoISECA,which
issuestheclientcertificate.TheCAsendsthecertificatebacktotheRA,whichreturnsittothedevice.
EachSCEPCAusedbyCiscoISEisdefinedbyaSCEPRAProfile.WhenaSCEPRAProfileiscreated,
twocertificatesareautomaticallyaddedtotheTrustedCertificatesStore:
◦ACAcertificate(aself-signedcertificate)
◦AnRAcertificate(aCertificateRequestAgentcertificate),whichissignedbytheCA....

    Page 187

    Page 187 Thefollowingnameconstraintsarenotsupported: •IPaddress •Othername Whenatrustedcertificatecontainsaconstraintthatisnotsupportedandcertificatethatisbeingverifieddoes notcontaintheappropriatefield,itisrejectedbecauseCiscoISEcannotverifyunsupportedconstraints. Thefollowingisanexampleofthenameconstraintsdefinitionwithinthetrustedcertificate:... 
    Thefollowingnameconstraintsarenotsupported:
•IPaddress
•Othername
Whenatrustedcertificatecontainsaconstraintthatisnotsupportedandcertificatethatisbeingverifieddoes
notcontaintheappropriatefield,itisrejectedbecauseCiscoISEcannotverifyunsupportedconstraints.
Thefollowingisanexampleofthenameconstraintsdefinitionwithinthetrustedcertificate:...

    Page 188

    Page 188 Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates. Step 2Checkthecheckboxnexttothecertificateyouwanttoenableordisable,andclickEdit. Step 3Changethestatus. Step 4ClickSave. Add a Certificate to Trusted Certificates Store TheCertificateStorepageallowsyoutoaddCAcertificatestoCiscoISE. Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. •Ensurethatthecertificatestorecertificateresidesonthefilesystemofthecomputerwhereyourbrowser... 
    Procedure
Step 1ChooseAdministration>System>Certificates>TrustedCertificates.
Step 2Checkthecheckboxnexttothecertificateyouwanttoenableordisable,andclickEdit.
Step 3Changethestatus.
Step 4ClickSave.
Add a Certificate to Trusted Certificates Store
TheCertificateStorepageallowsyoutoaddCAcertificatestoCiscoISE.
Before You Begin
•Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
•Ensurethatthecertificatestorecertificateresidesonthefilesystemofthecomputerwhereyourbrowser...

    Page 189

    Page 189 Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates. Step 2Checkthecheckboxnexttothecertificatethatyouwanttoedit,andclickEdit. Step 3Modifytheeditablefieldsasrequired. Step 4ClickSavetosavethechangesyouhavemadetothecertificatestore. Export a Certificate from the Trusted Certificates Store Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Certificates>TrustedCertificates.. Step... 
    Procedure
Step 1ChooseAdministration>System>Certificates>TrustedCertificates.
Step 2Checkthecheckboxnexttothecertificatethatyouwanttoedit,andclickEdit.
Step 3Modifytheeditablefieldsasrequired.
Step 4ClickSavetosavethechangesyouhavemadetothecertificatestore.
Export a Certificate from the Trusted Certificates Store
Before You Begin
Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin.
Procedure
Step 1ChooseAdministration>System>Certificates>TrustedCertificates..
Step...

    Page 190

    Page 190 IfyoudonotenteraFriendlyName,CiscoISEautopopulatesthisfieldwithaFriendlyNameoftheformat common-name#issuer#nnnnn,wherennnnnisauniquenumber.Youcaneditthecertificateagaintochange theFriendlyName. Step 5ChoosetherootcertificatereturnedbyyourCA. Step 6Checkthecheckboxesnexttotheservicesforwhichyouwanttousethistrustedcertificatefor. Step 7Enteradescription. Step 8ClickSubmit. What to Do Next ImporttheintermediateCAcertificatesintotheTrustedCertificatesstore(ifapplicable). Certificate Chain Import... 
    IfyoudonotenteraFriendlyName,CiscoISEautopopulatesthisfieldwithaFriendlyNameoftheformat
common-name#issuer#nnnnn,wherennnnnisauniquenumber.Youcaneditthecertificateagaintochange
theFriendlyName.
Step 5ChoosetherootcertificatereturnedbyyourCA.
Step 6Checkthecheckboxesnexttotheservicesforwhichyouwanttousethistrustedcertificatefor.
Step 7Enteradescription.
Step 8ClickSubmit.
What to Do Next
ImporttheintermediateCAcertificatesintotheTrustedCertificatesstore(ifapplicable).
Certificate Chain Import...
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals