Cisco Ise 13 User Guide
Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.
Page 191
Procedure Step 1ChooseAdministration>System>Certificates>CertificateSigningRequests Step 2EnterthevaluesforgeneratingaCSR.SeeCertificateSigningRequestSettings,onpage692forinformation oneachofthefields. Step 3ClickGeneratetogeneratetheCSR. TheCSRisgenerated. Step 4ClickExporttoopentheCSRinaNotepad. Step 5Copyallthetextfrom“-----BEGINCERTIFICATEREQUEST-----”through“-----ENDCERTIFICATE REQUEST-----.” Step 6PastethecontentsoftheCSRintothecertificaterequestofachosenCA. Step 7Downloadthesignedcertificate....
Page 192
IfyouenabletheEnableValidationofCertificateExtensionsoption,andthecertificatethatyouareimporting containsabasicconstraintsextensionwiththeCAflagsettotrue,ensurethatthekeyusageextensionis present,andthatthekeyEnciphermentbitorthekeyAgreementbit,orboth,arealsoset. Step 7ChecktheserviceforwhichthiscertificatewillbeusedintheUsagearea. Thisinformationisautopopulated,ifyouhaveenabledtheUsageoptionwhilegeneratingtheCSR. Step 8ClickSubmittobindtheCA-signedcertificate....
Page 193
Note•IfyouchangetheAdmincertificateonaregisteredsecondarynode,youmust obtainappropriateCAcertificatesthatcanbeusedtovalidatethesecondarynode’s AdmincertificateandimportitintotheCTLofthePAN. •Ifyouuseself-signedcertificatestosecurecommunicationbetweenaclientand PSNinadeployment,whenBYODusersmovefromonelocationtoanother, EAP-TLSuserauthenticationfails.Forsuchauthenticationrequeststhathaveto beservicedbetweenafewPSNs,youmustsecurecommunicationbetweenthe...
Page 194
Step 2ImporttheRootCertificatestotheTrustedCertificateStore,onpage143. Step 3BindtheCA-SignedCertificatetotheCSR,onpage145. Associate the Portal Certificate Tag Before You Register a Node Ifyouusethe"DefaultPortalCertificateGroup"tagforalltheportalsinyourdeployment,beforeyouregister anewISEnode,ensurethatyouimporttherelevantCA-signedcertificate,choose"Portal"asaservice,and associatethe"DefaultPortalCertificateGroup"tagwiththiscertificate....
Page 195
DescriptionOption WhenyouedittheexistingCA-signedcertificate: Choose"Portal"asaserviceforwhichyouwillusethiscertificateandassociate the"DefaultPortalCertificateGroup"tag. EditanexistingCA-signed certificate. Step 5RegistertheISEnodetothedeployment. Theportalconfigurationinthedeploymentisconfiguredtothe"DefaultPortalCertificateGroup"tagand theportalsareconfiguredtousetheCA-signedcertificateassociatedwiththe"DefaultPortalCertificate Group"tagonthenewnode. User and Endpoint...
Page 196
CWA Redirect to Renew Certificates Ifausercertificateisrevokedbeforeitsexpiry,CiscoISEcheckstheCRLpublishedbytheCAandrejects theauthenticationrequest.Incase,ifarevokedcertificatehasexpired,theCAmaynotpublishthiscertificate initsCRL.Inthisscenario,itispossibleforCiscoISEtorenewacertificatethathasbeenrevoked.Toavoid this,beforeyourenewacertificate,ensurethattherequestgetsredirectedtoCentralWebAuthentication (CWA)forafullauthentication.YoumustcreateanauthorizationprofiletoredirecttheuserforCWA. Configure...
Page 197
Create an Authorization Policy Profile for CWA Redirection Before You Begin EnsurethatyouhaveconfiguredalimitedaccessACLontheWLC. Procedure Step 1ChoosePolicy>PolicyElements>Results>Authorization>AuthorizationProfiles. Step 2ClickAdd. Step 3Enteranamefortheauthorizationprofile.Forexample,CertRenewal_CWA. Step 4ChecktheWebRedirection(CWA,DRW,MDM,NSP,CPP)checkboxintheCommonTasksarea. Step 5ChooseCentralizedWebAuthfromthedrop-downlistandthelimitedaccessACL. Step...
Page 198
Procedure Step 1ChoosePolicy>PolicySets. Step 2ClickCreateAbove. Step 3Enteranameforthenewrule. Step 4Choosethefollowingsimpleconditionandresult: IfCertRenewalRequiredEQUALSTrue,thenchoosetheauthorizationprofilethatyoucreatedearlier (CertRenewal_CWA)forthepermission. Step 5ClickSave. What to Do Next Whenyouaccessthecorporatenetworkwithadevicewhosecertificatehasexpired,clickRenewtoreconfigure yourdevice. Enable BYOD Settings in the Guest Portal...
Page 199
consoletoallowemployeestousetheirpersonaldevicesonthecompany'snetwork.ACA-signeddigital certificateisconsideredindustrystandardandmoresecure.TheISECAoffersthefollowingfunctionalities: •CertificateIssuance:ValidatesandsignsCertificateSigningRequests(CSRs)forendpointsthatconnect toyournetwork. •KeyManagement:GeneratesandsecurelystoreskeysandcertificatesonbothPANandPSNnodes. •CertificateStorage:Storescertificatesissuedtousersanddevices....
Page 200
Simple Certificate Enrollment Protocol Profiles Tohelpenablecertificateprovisioningfunctionsforthevarietyofmobiledevicesthatuserscanregisteron thenetwork,CiscoISEenablesyoutoconfigureoneormoreSimpleCertificateEnrollmentProtocol(SCEP) CertificateAuthority(CA)profiles(calledasCiscoISEExternalCASettings)topointCiscoISEtomultiple CAlocations.Thebenefitofallowingformultipleprofilesistohelpensurehighavailabilityandperform...