Cisco ISE and PEAP CERT

Answered Question
Jan 3rd, 2012
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Any one know where you load the CA Certiricate for PEAP if you use ISE as a radius server ?

Correct Answer by camejia about 5 years 5 months ago

George,


Jonny provided the section to install the ISE "Identity Certificate" issued by a CA for the ISE itself. I provided the section to install the Certification Authority (Root) certificate. Adding the clarification to avoid any confusion.


Regards.

Correct Answer by jrabinow about 5 years 5 months ago

You need to select Administration->System-Certificates->Local Certificates


Add the certifcate you want to use. When adding select the following option under Protocol "EAP: Use certificate for EAP protocols that use SSL/TLS tunneling"


This will define the server certificate to be used for PEAP protocols

Correct Answer by camejia about 5 years 5 months ago

Hello George,


Refer to:


Adding a Certificate Authority Certificate


http://www.cisco.com/en/US/partner/docs/security/ise/1.0.4/user_guide/ise10_man_cert.html#wp1053515


Step 1 Choose Administration > System > Certificates.


Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.


The Certificate Authority Certificates page appears.


Step 3 Click Add.


Hope this helps.


Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
camejia Tue, 01/03/2012 - 15:55
User Badges:
  • Silver, 250 points or more

Hello George,


Refer to:


Adding a Certificate Authority Certificate


http://www.cisco.com/en/US/partner/docs/security/ise/1.0.4/user_guide/ise10_man_cert.html#wp1053515


Step 1 Choose Administration > System > Certificates.


Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.


The Certificate Authority Certificates page appears.


Step 3 Click Add.


Hope this helps.


Regards.

Correct Answer
jrabinow Tue, 01/03/2012 - 15:56
User Badges:
  • Cisco Employee,

You need to select Administration->System-Certificates->Local Certificates


Add the certifcate you want to use. When adding select the following option under Protocol "EAP: Use certificate for EAP protocols that use SSL/TLS tunneling"


This will define the server certificate to be used for PEAP protocols

Correct Answer
camejia Tue, 01/03/2012 - 15:59
User Badges:
  • Silver, 250 points or more

George,


Jonny provided the section to install the ISE "Identity Certificate" issued by a CA for the ISE itself. I provided the section to install the Certification Authority (Root) certificate. Adding the clarification to avoid any confusion.


Regards.

George Stefanick Tue, 01/10/2012 - 19:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Can you guys offer any supplemental material for configuring ISE for wireless only? The main config guide is ok, but to much fluff.


Thanks guys

edondurguti Wed, 09/05/2012 - 13:23
User Badges:

Did anyone install a third party cert and not have that stupid error popup saying Terminate/Connect

thank you

I'm tired of this windows thingy, eventhough i do everything correctly it still pops up with that error.

edondurguti Fri, 09/07/2012 - 07:38
User Badges:

Alright, I've been able to create my own CA in win2008 and ubuntu server aswell ( I was so desperate about this cert thing on windows 7 where it popped up that terminate/connect error that i had to create all that)

Anyway the scenario is using third party cert.

**The domain name doesn't have to match ISE domain name for PEAP Authentication** (so i used my guest webpage ssl cert)

Now windows 7 computers that are a part of a domain/workgorup using native wireless client would still get that error no matter what, even if you add the root cert as a trusted authority in cert list and all that, even third party ones.

Seems like a windows7 bug and here is the workaround:

http://support.microsoft.com/kb/2518158 

I just did that for root ca and intermediate ca from third party ca (goddady in my case) - I did test it with windows server ca and also with ubuntu server ca (yes i did test alot )


Hope it helps someone as it was driving me crazy

Chris Allen Wed, 04/24/2013 - 12:43
User Badges:

I am also looking for documentation on how to configure ISE just for wireless. Any help would be greatly apprecaited. Especially with machine authentication using certificates.


Thanks,

C

askhuran Wed, 04/24/2013 - 18:02
User Badges:

Hello Chris,


For wireless configuration, You may download  Trustsec “Universal Wireless Configuration” from the following location:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf

For machine authentication, review the chapter 5 "Managing External Identity Source"
Additionally, ISE 1.1.x user guide is available at this location:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_user_guide.html

Actions

This Discussion