Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2 and iPEP Certificate Requirements

Hi,

For 1.1.x version of ISE, there are some constraints regarding the certificates used for iPEP and Admin:

  • Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Postur  certificate.

  • [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  • Does the same thing applies for iPEP in ISE 1.2? The User Guide for ISE 1.2 and Hardware Installation Guide doesn't mention anything about EKU and specific certificate attributes..
  • Any thoughts?
  • Thank you,
  • Octavian
  • 1 ACCEPTED SOLUTION

    Accepted Solutions

    ISE 1.2 and iPEP Certificate Requirements

    The EKU validation has been removed in version 1.2

    "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."

    Source:

    http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

    2 REPLIES
    Cisco Employee

    ISE 1.2 and iPEP Certificate Requirements

    Octavian,

    The same requirements apply.

    Javier Henderson

    Cisco Systems

    ISE 1.2 and iPEP Certificate Requirements

    The EKU validation has been removed in version 1.2

    "If you configure ISE for services such as Inline  Policy Enforcement Point (iPEP), the template used in order to generate  the ISE server identity certificate should contain both client and  server authentication attributes if you use ISE Version 1.1.x or  earlier. This allows the admin and inline nodes to mutually authenticate  each other. The EKU validation for iPEP was removed in ISE Version 1.2,  which makes this requirement less relevant."

    Source:

    http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bff108.shtml

    349
    Views
    0
    Helpful
    2
    Replies
    CreatePlease login to create content