Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

Page 191

Procedure
Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests
Step 2EnterthevaluesforgeneratingaCSR.SeeCertificateSigningRequestSettings,onpage692forinformation
oneachofthefields.
Step 3ClickGeneratetogeneratetheCSR.
TheCSRisgenerated.
Step 4ClickExporttoopentheCSRinaNotepad.
Step 5Copyallthetextfrom“-----BEGINCERTIFICATEREQUEST-----”through“-----ENDCERTIFICATE
REQUEST-----.”
Step 6PastethecontentsoftheCSRintothecertificaterequestofachosenCA.
Step 7Downloadthesignedcertificate....

Page 192

IfyouenabletheEnableValidationofCertificateExtensionsoption,andthecertificatethatyouareimporting
containsabasicconstraintsextensionwiththeCAflagsettotrue,ensurethatthekeyusageextensionis
present,andthatthekeyEnciphermentbitorthekeyAgreementbit,orboth,arealsoset.
Step 7ChecktheserviceforwhichthiscertificatewillbeusedintheUsagearea.
Thisinformationisautopopulated,ifyouhaveenabledtheUsageoptionwhilegeneratingtheCSR.
Step 8ClickSubmittobindtheCA-signedcertificate....

Page 193

Note•IfyouchangetheAdmincertificateonaregisteredsecondarynode,youmust
obtainappropriateCAcertificatesthatcanbeusedtovalidatethesecondarynode’s
AdmincertificateandimportitintotheCTLofthePAN.
•Ifyouuseself-signedcertificatestosecurecommunicationbetweenaclientand
PSNinadeployment,whenBYODusersmovefromonelocationtoanother,
EAP-TLSuserauthenticationfails.Forsuchauthenticationrequeststhathaveto
beservicedbetweenafewPSNs,youmustsecurecommunicationbetweenthe...

Page 194

Step 2ImporttheRootCertificatestotheTrustedCertificateStore,onpage143.
Step 3BindtheCA-SignedCertificatetotheCSR,onpage145.
Associate the Portal Certificate Tag Before You Register a Node
Ifyouusethe"DefaultPortalCertificateGroup"tagforalltheportalsinyourdeployment,beforeyouregister
anewISEnode,ensurethatyouimporttherelevantCA-signedcertificate,choose"Portal"asaservice,and
associatethe"DefaultPortalCertificateGroup"tagwiththiscertificate....

Page 195

DescriptionOption
WhenyouedittheexistingCA-signedcertificate:
Choose"Portal"asaserviceforwhichyouwillusethiscertificateandassociate
the"DefaultPortalCertificateGroup"tag.
EditanexistingCA-signed
certificate.
Step 5RegistertheISEnodetothedeployment.
Theportalconfigurationinthedeploymentisconfiguredtothe"DefaultPortalCertificateGroup"tagand
theportalsareconfiguredtousetheCA-signedcertificateassociatedwiththe"DefaultPortalCertificate
Group"tagonthenewnode.
User and Endpoint...

Page 196

CWA Redirect to Renew Certificates
Ifausercertificateisrevokedbeforeitsexpiry,CiscoISEcheckstheCRLpublishedbytheCAandrejects
theauthenticationrequest.Incase,ifarevokedcertificatehasexpired,theCAmaynotpublishthiscertificate
initsCRL.Inthisscenario,itispossibleforCiscoISEtorenewacertificatethathasbeenrevoked.Toavoid
this,beforeyourenewacertificate,ensurethattherequestgetsredirectedtoCentralWebAuthentication
(CWA)forafullauthentication.YoumustcreateanauthorizationprofiletoredirecttheuserforCWA.
Configure...

Page 197

Create an Authorization Policy Profile for CWA Redirection
Before You Begin
EnsurethatyouhaveconfiguredalimitedaccessACLontheWLC.
Procedure
Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles.
Step 2ClickAdd.
Step 3Enteranamefortheauthorizationprofile.Forexample,CertRenewal_CWA.
Step 4ChecktheWebRedirection(CWA,DRW,MDM,NSP,CPP)checkboxintheCommonTasksarea.
Step 5ChooseCentralizedWebAuthfromthedrop-downlistandthelimitedaccessACL.
Step...

Page 198

Procedure
Step 1ChoosePolicy>PolicySets.
Step 2ClickCreateAbove.
Step 3Enteranameforthenewrule.
Step 4Choosethefollowingsimpleconditionandresult:
IfCertRenewalRequiredEQUALSTrue,thenchoosetheauthorizationprofilethatyoucreatedearlier
(CertRenewal_CWA)forthepermission.
Step 5ClickSave.
What to Do Next
Whenyouaccessthecorporatenetworkwithadevicewhosecertificatehasexpired,clickRenewtoreconfigure
yourdevice.
Enable BYOD Settings in the Guest Portal...

Page 199

consoletoallowemployeestousetheirpersonaldevicesonthecompany'snetwork.ACA-signeddigital
certificateisconsideredindustrystandardandmoresecure.TheISECAoffersthefollowingfunctionalities:
•CertificateIssuance:ValidatesandsignsCertificateSigningRequests(CSRs)forendpointsthatconnect
toyournetwork.
•KeyManagement:GeneratesandsecurelystoreskeysandcertificatesonbothPANandPSNnodes.
•CertificateStorage:Storescertificatesissuedtousersanddevices....

Page 200

Simple Certificate Enrollment Protocol Profiles
Tohelpenablecertificateprovisioningfunctionsforthevarietyofmobiledevicesthatuserscanregisteron
thenetwork,CiscoISEenablesyoutoconfigureoneormoreSimpleCertificateEnrollmentProtocol(SCEP)
CertificateAuthority(CA)profiles(calledasCiscoISEExternalCASettings)topointCiscoISEtomultiple
CAlocations.Thebenefitofallowingformultipleprofilesistohelpensurehighavailabilityandperform...
Start reading Cisco Ise 13 User Guide

Related Manuals for Cisco Ise 13 User Guide

All Cisco manuals