Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
681
Views
0
Helpful
2
Replies

ISE 1.2 and iPEP Certificate Requirements

Go to solution
Octavian Szolga
Level 4
Level 4

‎01-22-2014 05:31 AM - edited ‎03-10-2019 09:18 PM

Hi,

For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:

  • Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.

  • [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  • Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  • Any thoughts?
  • Thank you,
  • Octavian
    • Labels:
    0 Helpful
    1 Accepted Solution

    Accepted Solutions

    Go to solution
    Saurav Lodh
    Level 7
    Level 7

    ‎01-29-2014 09:25 PM

    The EKU validation has been removed in version 1.2

    "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."

    Source:

    http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

    View solution in original post

    0 Helpful
    2 Replies 2

    Go to solution
    Javier Henderson
    Level 4
    Level 4

    ‎01-29-2014 05:32 PM

    Octavian,

    The same requirements apply.

    Javier Henderson

    Cisco Systems

    0 Helpful

    Go to solution
    Saurav Lodh
    Level 7
    Level 7

    ‎01-29-2014 09:25 PM

    The EKU validation has been removed in version 1.2

    "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."

    Source:

    http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

    0 Helpful
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents