Cisco ISE and PEAP CERT

Answered Question
Jan 3rd, 2012

Any one know where you load the CA Certiricate for PEAP if you use ISE as a radius server ?

I have this problem too.
0 votes
Correct Answer by camejia about 2 years 3 months ago

George,

Jonny provided the section to install the ISE "Identity Certificate" issued by a CA for the ISE itself. I provided the section to install the Certification Authority (Root) certificate. Adding the clarification to avoid any confusion.

Regards.

Correct Answer by jrabinow about 2 years 3 months ago

You need to select Administration->System-Certificates->Local Certificates

Add the certifcate you want to use. When adding select the following option under Protocol "EAP: Use certificate for EAP protocols that use SSL/TLS tunneling"

This will define the server certificate to be used for PEAP protocols

Correct Answer by camejia about 2 years 3 months ago

Hello George,

Refer to:

Adding a Certificate Authority Certificate

http://www.cisco.com/en/US/partner/docs/security/ise/1.0.4/user_guide/ise10_man_cert.html#wp1053515

Step 1 Choose Administration > System > Certificates.

Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

The Certificate Authority Certificates page appears.

Step 3 Click Add.

Hope this helps.

Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
camejia Tue, 01/03/2012 - 15:55

Hello George,

Refer to:

Adding a Certificate Authority Certificate

http://www.cisco.com/en/US/partner/docs/security/ise/1.0.4/user_guide/ise10_man_cert.html#wp1053515

Step 1 Choose Administration > System > Certificates.

Step 2 From the Certificate Operations navigation pane on the left, click Certificate Authority Certificates.

The Certificate Authority Certificates page appears.

Step 3 Click Add.

Hope this helps.

Regards.

Correct Answer
jrabinow Tue, 01/03/2012 - 15:56

You need to select Administration->System-Certificates->Local Certificates

Add the certifcate you want to use. When adding select the following option under Protocol "EAP: Use certificate for EAP protocols that use SSL/TLS tunneling"

This will define the server certificate to be used for PEAP protocols

Correct Answer
camejia Tue, 01/03/2012 - 15:59

George,

Jonny provided the section to install the ISE "Identity Certificate" issued by a CA for the ISE itself. I provided the section to install the Certification Authority (Root) certificate. Adding the clarification to avoid any confusion.

Regards.

George Stefanick Tue, 01/10/2012 - 19:55

Can you guys offer any supplemental material for configuring ISE for wireless only? The main config guide is ok, but to much fluff.

Thanks guys

edondurguti Wed, 09/05/2012 - 13:23

Did anyone install a third party cert and not have that stupid error popup saying Terminate/Connect

thank you

I'm tired of this windows thingy, eventhough i do everything correctly it still pops up with that error.

edondurguti Fri, 09/07/2012 - 07:38

Alright, I've been able to create my own CA in win2008 and ubuntu server aswell ( I was so desperate about this cert thing on windows 7 where it popped up that terminate/connect error that i had to create all that)

Anyway the scenario is using third party cert.

**The domain name doesn't have to match ISE domain name for PEAP Authentication** (so i used my guest webpage ssl cert)

Now windows 7 computers that are a part of a domain/workgorup using native wireless client would still get that error no matter what, even if you add the root cert as a trusted authority in cert list and all that, even third party ones.

Seems like a windows7 bug and here is the workaround:

http://support.microsoft.com/kb/2518158 

I just did that for root ca and intermediate ca from third party ca (goddady in my case) - I did test it with windows server ca and also with ubuntu server ca (yes i did test alot )

Hope it helps someone as it was driving me crazy

Chris Allen Wed, 04/24/2013 - 12:43

I am also looking for documentation on how to configure ISE just for wireless. Any help would be greatly apprecaited. Especially with machine authentication using certificates.

Thanks,

C

askhuran Wed, 04/24/2013 - 18:02

Hello Chris,

For wireless configuration, You may download  Trustsec “Universal Wireless Configuration” from the following location:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf

For machine authentication, review the chapter 5 "Managing External Identity Source"
Additionally, ISE 1.1.x user guide is available at this location:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_user_guide.html

Actions

Login or Register to take actions

This Discussion

Posted January 3, 2012 at 3:41 PM
Stats:
Replies:8 Avg. Rating:5
Views:2211 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard