Deploying PKI

For 802.1x Networks

Jerry Lin, Consulting Systems Engineer, California
Ned Zaldivar, Consulting Systems Engineer, Texas
Sylvain Levesque, Consulting Systems Engineer, Canada

TECSEC-2053
 Jerry Lin, CSE Ned Zaldivar, CSE Sylvain Levesque, CSE
Irvine, California Houston, Texas Montreal, Canada

TECSEC-2053 BRKSEC-2045, Mobile Devices and

BRKSEC-3053, Practical PKI for
BYOD Security, Deployment and Best
Remote Access VPN
Practices
Other Related ISE/PKI Sessions
• BRKSEC-3697 - Advanced ISE Services, Tips and Tricks
• BRKSEC-3699 - Designing ISE for Scale & High Availability
• BRKSEC-2695 - Building an Enterprise Access Control Architecture
using ISE and TrustSec
• TECSEC-3672 - Identity Services Engine 1.3 Best Practices
Agenda
• PKI Background/Overview
• PKI Installation
• Windows 2012 RootCA and ISE 1.3 Internal CA
• Certificates, Provisioning, Revocation, Blacklisting, Renewal

• Device Onboarding (Demos)

• Wireless and Wired Onboarding (EAP-TLS), EAP-Chaining
• Customer Use Case: Roaming between ISE clusters

• MDM provisioning, pxGrid Integration and Decryption

• TAC FAQs, Wrap Up
• Appendix: Configurations
Quick PKI Review
 Certificate Authority (CA)
Source of truth for any PKI
Certificate Authority Hierarchy of Trust
Root CA

Sub CA-1 ISE

Intermediate
PAN CA

PSN PSN

Sub2 CA-1 Sub2 CA-2 ISE sub-CA1 ISE sub-CA2

X.509 v3
Certificate
How To View Certificates
1. Windows PC: C:\Users\jelin\mmc

2. Repeat for Machine Certificates

How To View Certificates

• MacOSX: > Profiles or Keychain Access

• iOS: Settings > General > Profiles

• Android: Settings > Security & Screen Lock > Trusted Credentials > System /
User
Certificate File Formats Demystified
• DER (.der .cer) – Distinguished Encoding Rules
• Binary encoded single cert per file
• Cannot copy / paste

• PEM – Privacy Enhanced Mail

• (.pem .cer .crt)
• Base64 encoded text
• Can copy / paste

• PKCS #7 (.p7b .p7c)

• Like PEM with root cert chain

• PKCS #12 (.pfx .p12)

• Like PKCS #7 w/ Private Key!
Certificate Authority Options
• MS 2012 R2 Server(Data Center, Standard, Essentials)
• MS 2008 R2 Server (Data Center, Enterprise, Standard, etc)
ISE
• Identity Services Engine (ISE)
• MDM (AirWatch, MobileIron, ZenPrise, Good, MaaS360, SAP, etc)
• Linux “DogTag” CA. http://www.cisco.com/c/en/us/support/docs/security/identity-
services-engine-software/116237-configure-dogtag-00.pdf
• ISR-G2: IOS CA
• Cisco Wireless LAN Controller
• Cisco Adaptive Security Appliance(ASA)
Certificate Authority Options

Router
Linux
MDM

ISE

MS
Capability / Feature
Deploy BYOD certs via VPN?     
Deploy BYOD certs wired or wireless?     
Deploy certs to Active Directory domain computers?     
Highly Scalable?     
Easily Manageable?     
Cisco BU/TAC Official Support     
PKI Use Cases Covered
Use Use Cases MS PKI ISE PKI MDM
Cases PKI

  
1 Corporate AD Domain Devices
(GPO User+Machine Certs)

  
2 BYOD: Personal Devices
(iOS, Android, MacOSX, *Linux
Windows, Linux)

  
3 Corporate non-Domain
Devices *Linux
(iOS, Android, MacOSX,
Windows, Linux)

* ISE 1.4 will address Linux, POS, etc via API

Let’s Build the Root and
Subordinate CA,
Use Case #1
Start with Windows 2012 Server RootCA
Corporate Asset AD Domain Devices (Use Case #1)
Root CA From CiscoLive2014!
• Need RootCA for…
• Signing Subordinate CA
certs.
Sub CA-1 ISE • (BYOD) ISE Intermediate
PAN Intermediate CA
CA
• All other MITM network
services: Load-
balancers, SSL Proxy,
PSN PSN etc.

Sub2 CA-1 Sub2 CA-2 ISE sub-CA1 ISE sub-CA2

 Let’s Build a Root CA with Windows 2012 R2!
See Appendix for full step by step instructions
Building the Enterprise Root CA Add Roles and Features
Certificate Services Role Install
• In Tiered CA deployment, only Certificate Authority Role is needed for RootCA!
• In Single* CA deployment, ALL certificate services roles are required.

* Must Install CA role first before

other roles!
Enterprise CA See Appendix for full step by step instructions
• Specify Enterprise CA and Root CA
Microsoft Keys and Cryptography Update
For New Installs!
ISE and ASA support SHA-1 or -256 with RSA
Encryption
Microsoft Key and Cryptography Update!
Migrating from SHA-1 to SHA-256 algorithm
• January 1, 2016 will be End Of Support for SHA-1.
• Migration to SHA-256 will mitigate “man-in-the-middle”. Do This!
• Open Windows Powershell
C:\Users\Administrator> certutil –setreg ca\csp\CNGHashAlgorithm SHA256
Net stop certsrv
• Restart CA Net start certsrv
• Renew CA Cert

http://www.cusoon.fr/update-microsoft-certificate-authorities-to-use-the-sha-2-
hashing-algorithm-2/
 See Appendix for full step by step instructions
Complete CA roles
See Appendix for full step by step details Root CA COMPLETE!

Complete install and Verify!

Phasing out Intranet Names in Public SSL Certs
Effective November 1, 2015
• https://support.godaddy.com/help/
article/6935/phasing-out-intranet-
names-and-ip-addresses-in-
ssls?locale=en
• No more Intranet Names or IP
addresses as primary domain
names or SANs that public DNS
servers cannot resolve
 mail1, server2.local, ise13.demo, etc
 192.168.x.x, 10.x.x.x, 172.16.x, etc
Phasing out Intranet names in Public SSL Certs
Effective November 1, 2015
• ACTION: You MUST configure your
servers to use FQDNs;
 ISE1-3.Ciscolive2015.com
Certificate Authority Lifetime Timers
Relationship between Root and Subordinate CAs
Use Case: Enterprise RootCA validity period is 2 years(default). You want
SubCA lifetime of 5 years. Default SubCA template in RootCA is 5 years.

Actual validity period is determined by 3 things

1. Max lifetime of the certificate template
2. Certificate lifetime of issuing CA (Root CA)
3. Registry setting on the issuing CA (Root CA issues the SubCA cert)

Answer: The lowest of the three values determines certificate lifetime !

Modify Certificate Lifetime Support
Relationship between Root and Subordinate CAs
• Change this value on Root CA before deploying subordinate CA(s). Then
change this value on subordinate CA(s) as deployed.

• From Windows Command Line (“&&” not supported from PowerShell)

• certutil -setreg ca\ValidityPeriod ”Years”  default is already “years”
• certutil -setreg ca\ValidityPeriodUnits ”5”  set 5 year maximum certificate validity
• net stop certsvc && net start certsvc  restart Certificate Services
• certutil –getreg ca | findstr “Validity”  to see existing values

• http://support.microsoft.com/kb/281557
• http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-
for-subordinate-ca-s.aspx
Building Windows 2012 Server Subordinate CA
Corporate Asset AD Domain Devices (Use Case #1)
Root CA • Windows SubCA for…
• Corporate domain
PCs(User & machine
certs)
Sub CA-1 ISE • Used for EAP-Chaining
PAN Intermediate
CA • Other subordinate CAs

PSN PSN

Sub2 CA-1 Sub2 CA-2 ISE sub-CA1 ISE sub-CA2

Similar to installing Win2012 Root CA
See Appendix for full step by step instructions

• Install AD Domain
Services
• Promote SubCA to domain
controller and join existing
domain.
Complete SubCA install
• Select RootCA Server Certificate
• All Configured !!!

Back in Win2012-RootCA, see SubCA cert!

Reminder: Certificate Authority Lifetime Timers
Relationship between Root and Subordinate CAs
Problem: Enterprise RootCA validity period is 2 years(default). You want SubCA
lifetime of 5 years. Default SubCA template in RootCA is 5 years.

Actual validity period is determined by 3 things

1. Max lifetime of the certificate template
2. Certificate lifetime of issuing CA (Root CA)
3. Registry setting on the issuing CA (Root CA issues the SubCA cert)

Answer: The lowest of the three values determines certificate lifetime !

Reminder! Modify Certificate Lifetime Support
Relationship between Root and Subordinate CAs
• Change this value on Root CA before deploying subordinate CA(s). Then
change this value on subordinate CA(s) as deployed. Do This!

• From Windows Command Line (“&&” not supported from PowerShell)

• certutil -setreg ca\ValidityPeriod ”Years”  default is already “years”
• certutil -setreg ca\ValidityPeriodUnits ”5”  set 5 year maximum certificate validity
• net stop certsvc && net start certsvc  restart Certificate Services
• certutil –getreg ca | findstr “Validity”  to see existing values

• http://support.microsoft.com/kb/281557
• http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-
for-subordinate-ca-s.aspx
Example: Certificate Template Versions
See Appendix for full step by step instructions
• Workstation template is GPO based and offers customized settings (validity
period, key length, etc) since it is a V2 template.
• AutoEnrollment support!
Issue “Workstation2” Certificate Template

Remove!!

1. Select Certificate
Template to Issue
2. Select Workstation2
template
3. Validate new template
published!
Creating User Certificate Template
• Required for deployment. Must duplicate default template!
• Tools > Certificate Authority > Certificate Template(right-click) > Manage
Enable AutoEnrollment in GPO (Computer)

ENABLE Both!
Enable AutoEnrollment in GPO (Computer)
Enable AutoEnrollment in GPO (User)

ENABLE Both!
Enable AutoEnrollment in GPO (User)
 Verification of User and Machine templaces

• Can issue “gpupdate.exe /force” at DOS Command Prompt

• Check C:\Users\<yourname>\mmc for deployed certs
• If no success, check Domain Users/Machine Permissions and GPO!

Cert Authentication Options!

Default - User or Machine Cert Auth
- EAP-Chaining (User+Machine Auth)
 Let’s Build the
Intermediate CA
With ISE
Use Case #2, BYOD of
Personal Devices
Building the ISE Intermediate CA
New with ISE 1.3. (Use Case #2, BYOD)

Root CA

Sub CA-1 ISE

PAN Intermediate ISE 1.3
CA

PSN PSN

Sub2 CA-1 Sub2 CA-2 ISE sub-CA1 ISE sub-CA2

Centralized Certificate Management in 1.3
PSN #1

Primary
PSN #20
PAN
• Generate CSRs for ALL NODES
at Primary PAN
• Bind CA-signed certs for ALL NODES at Primary
PAN PSN #40

• Manage System (Local) certs for ALL NODES at

primary PAN
**Caveat** You still have to import the PSN certs initially into ISE
ISE CA Services Functional Architecture
PSN PAN PSN

PSN1(SubCA) PAN (RootCA) PSN2(SubCA)

PSN Key Mngt PAN Key Mngt PSN Key Mngt

SCEP RA
CSR, Bind, Renew, etc CSR, Bind, Renew, etc

CA Service CA Service CA Service

Endpt Certificate Endpt Certificate

SCEP RA NSS DB SCEP RA

OCSP Distributed Deployment
PSN PAN PSN

ISE Tomcat ISE Tomcat

OCSP Client OCSP Client

CA DB CA DB CA DB

ISE Tomcat

OCSP OCSP OCSP

Responder Responder Responder

CA Server CA Server CA Server

CA Tomcat CA Tomcat CA Tomcat

http://ise:2560/ocsp

ASA OCSP Client

ISE 1.3 Internal CA Review!
ISE 1.3 Internal CA Review!
Default ISE OCSP Settings
External OCSP Setting (Windows 2012)
OCSP Settings (Cont.)
Re-generate the Root CA (Optional)

• The Entire certificate chain can be re-generated if needed.

• Old CA certificates are stored in the Trust store to ensure authentication of previously
provisioned endpoints work successfully.
Regenerate ISE Root CA(Optional)

USE with Caution!

ISE (PAN) CA Server Status

As Designed
ISE (PSN) CA Server Status

As expected
Export/Import ISE CA Certificate Key

 Export ISE Root CA, Endpoint Subordinate CA, Endpoint

RA and OCSP certificate
Export/Import ISE CA Certificate Keys
ISE 1.3 Internal CA!
 Building the ISE PKI Hierarchy

PAN PAN

Register
PAN/PSN PSN

PAN PSN
CSR-PAN-Intermediate CA PSN SubCA
WIN2012-RootCA PAN PSN
CSR-PSN
Adding PSN1 to Admin Node
Importing PSN cert into Admin Node
Registering PSN1 to PAN
Registering PSN1 to PAN

In Progress
Certificate Signing Requests for Intermediate CA
Certificate Signing Requests for Intermediate CA
Certificate Signing Requests for Intermediate CA
Generating a Certificate with a SAN in ADCS
• Active Directory Certificate Services does not support by default the generation
of a certificate with an additional Subject Alternate Name
• A certutil command is required in CLI/Powershell to activate this option. And
the Certificate Authority service has to be restarted:

• certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

• net stop certsvc

net start certsvc

64
Generating a Certificate with a SAN in ADCS

65
Cert Request to WIN2012-RootCA
Cert Request to WIN2012-RootCA
Cert Request to WIN2012-RootCA
Bind ISE Certificate
Newly imported Trusted Certs

Delete This!
Remove PSN services from PAN

Uncheck!
ISE will restart 
ISE PAN and PSN Personas

PAN

PSN
Import WIN2012-RootCA Cert!
Final Trusted Certificates
In Win2012-RootCA (CA Hierarchy Complete!)
CSR for PSN
CSR for PSN
Bind PSN EAP Authentication Cert
Used for Client Authentication + Others
PSN1 Cert Completion
ISE PKI Chain Complete!
New with ISE 1.3!

Root CA

Sub CA-1 ISE

PAN Intermediate
CA

PSN

Sub2 CA-1 Sub2 CA-2 ISE sub-CA1

Device Onboarding
Onboarding Videos (EAP-TLS)
• Wireless
• “iPad Onboarding and Blacklisting” video
• Wired
• MacOSX 10.9 (Mavericks) Wired Onboarding video
• Windows 7 Wired Onboarding video
On to Sylvain Levesque!

• Certificates Revocation
• OCSP/CRL Validation and Troubleshooting
• Roaming from One PSN to Another
• EAP-Chaining, Machine+User Authentication

• MDM Certificate Provisioning

• Meraki and AirWatch
• Asset Differentiation
 OCSP/CRL
Operations & Validation
Online Certificate Status Protocol (OCSP)
• OCSP enables the real-time validation of a certificate status between the Radius server
and the Certificate Authority during the 802.1X authentication phase
• An OCSP responder will fetch the CRL dynamically from the CRL Publisher and expose it
to the outside world with HTTP, LDAP, SMTP, etc. (ISE and ADCS support HTTP)
• OCSP comparison with CRL:
• More up-to-date information on certificate status
• Client does not have to download the whole CRL -> Uses much less bandwidth and resources to
process
• Can be subject to replay attacks
Certificate Revocation List (CRL)

• CRL enables the revocation of certificates by publishing a list of revoked certificates

• A client will fetch the CRL periodically from the CRL Publisher with HTTP, LDAP, File
Share, etc.
• CRL pros and cons:
• The Revocation List can get quite large over time: Will consume resources to download and
process
• Delta CRLs can be used to alleviate this problem but not all clients support them (ISE only
support Full CRLs)
• A device with a revoked certificate could still have access for some time since CRL are not real-
time
• OCSP is generally preferred over CRL
OCSP – ISE Validation and Troubleshooting
When revoking a certificate, a failed 802.1x authentication will
appear in the Event Viewer
OCSP – ISE Validation and Troubleshooting

A Revoked Cert entry will also appear in the

OCSP Monitoring report
OCSP – ISE Validation and Troubleshooting
• Connectivity should be verified between ISE and the OCSP Responder
• ISE provides a few tools for this:
• Ping: Available on the CLI (via SSH or VMWare CLI)
• Packet Capture: Operations -> Diagnostic Tools -> General Tools -> TCP
Dump – Capture can be downloaded and opened with Wireshark

In this case, the nonce option was activated on ISE. This option was not
matching in the Microsoft CA’s OCSP request and configuration
OCSP – ISE Troubleshooting
• Detailed information can be obtained from the ISE prrt-management.log at Debug Level
• The file can be downloaded and searched with the “ocsp” keyword. The log file can also be
searched in the CLI using “tail” and grep” for the same keyword:

Entry not in ISE

cache –triggers
request!
Connectivity
OK! Cert
revoked…
CRL – ISE Validation and Troubleshooting
When CRL works! When CRL does not work!

91
CRL – ISE Validation and Troubleshooting
• Detailed information can be obtained from the ISE prrt-management.log log file at Debug Level (Administration-
>Logging)

• The file can be downloaded and be searched for the “CRL” keyword The log file can also be searched in the CLI:

Connectivity
OK!

CRL
downloaded
and validated

92
Certificate Revocation
& Renewal
Revoking User Access in ISE

• Revoke Endpoint Certs

• Once revoked, it’s permanent! NO undo!
• Will need to onboard again for new cert.

• My Devices Portal,
https://ise:8443/mydevicesportal
• Lost (Blacklisting, cert not revoked)
• Stolen (Blacklisting and cert revoked)
Revoking User Access in MS2012
• Device Lost? Employee leaves job? Contract ended?
• How to block selected devices only?

• Via Microsoft CA… Need to find right serial #!

• MS CA cannot limit # of certs per user…
Verify Certificate Serial Number

• Assume user knows the Serial

Number on certificate? Maybe?
• Can do search based on
available attributes

Match?
Revoking an User Certificate
2. Cease of
Operation

1. WIN2012-SubCA>Issued Certificates>(right-
click)All Tasks>Revoke Certificate

3. WIN2012-SubCA>Revoked Certificates>(right-
click)All Tasks> Publish
Certificate Lifecycle and Expiration - BYOD

• Authorization policies with ISE 1.3 can be defined with the following attributes:

• Allows endpoints having certificates near their expiration date to trigger the
SCEP provisioning process again

*** Demo Video ***

Certificate Lifecycle and Expiration – Corporate with
ADCS

• In most cases, auto-enrollment will automatically renew these certificates the

next time the computer is connected to the network and the domain
• Manual renewing can also be done on the computer directly using the Certificate
Snap-In tool on the device before or after the expiration:

Renew with a new

key

Renew with the

same key
Roaming to a different
WLC
Distribute ISE Deployment: Multiple WLCs
 Roaming Across PSNs
Root CA

ISE
PAN Intermediate
CA

PSN1 PSN2
PSN PSN

WLC1/AP1 WLC2/AP2

SSID SSID
Roaming Across PSNs
• Certificate trust relationship across PSNs under ISE Intermediate CA

*** Demo Video ***

EAP Chaining
Use Case #1
EAP Chaining
Goal: Ties corporate employee to corporate machine!
• EAP Chaining uses EAP-FAST protocol extensions

• Ties both user credentials (EAP-TLS) and machine credentials(EAP-TLS)

together as one authentication transaction
• AnyConnect Network Access Manager (NAM) required! (Windows Only)
• Standard OS .1x supplicant does not support dual user+machine authentication
simultaneously
Machine Machine
Credentials Authentication
RADIUS Machine & User Credentials
Validated AD Database

User
Authentication Authentication ( includes both user & machine identity types )
User
Credentials
EAP-FAST (Flexible Authentication via Secure
Tunneling)
• Defined in RFC 4851 and was developed by Cisco Systems
• Does not use certificates (anonymous PAC provisioning)

• Mutual authentication provided by Protected Access Credential (PAC) file, usually provisioned dynamically

• Anonymous verses Authenticated PAC Provisioning

• Occurs in 3 Phases:

• Phase 0: PAC Provisioning

• Phase 1: Establishment of secure TLS tunnel using PAC

• Phase 2: Inner authentication method for credential exchange

 Tunnel EAP(TEAP) in IETF draft, https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-

method-03
EAP Chaining: What Problems is it Solving?
• The Machine Access Restriction (MAR) cache in ISE caches the Machine
authentication session but this cache is not replicated between PSNs and has a timeout
value
• Unless EAP-Chaining is used with EAP-Fast, performing Machine and User
Authentication is subject to limitations in the following limit use cases:
• Wake On LAN/Sleep mode: PC is awaken in user context but its MAR entry has timed out ->
Authentication fails
• Roaming between PSNs: PC is roamed while in user context but new PSN does not have a MAR
entry –> Authentication fails

• MacOS is subject to the same limitations but the Anyconnect Network Access Manager
802.1X supplicant is only available for Windows
• The Machine and User identities can be linked together in an ISE Authorization Policy
with the same attributes as with Windows
 EAP Chaining Flow
Established connection Established secure connection

Client
Provisioning
Phase 0
EAP Identity Request
EAP Identity Response
EAP Identity Response
EAP-FAST Start (S bit, A-ID)
Phase 1
TLS Client Hello (Client_randomm PAC-Opaque)
TLS Server Hello (server_random), TLS Change cipher spec, TLS Finished
TLS Change cipher spec, TLS finished
Identity-Type TLV (Machine Type), EAP Payload-TLV (EAP Request-Identity)
Identity-Type TLV (Machine Type), EAP Payload-TLV (EAP Response Identity)
Machine Authentication- can be EAP-MSCHAPv2/EAP-GTC/EAP-TLS/Machine cert or Machine Authorization PAC
Crypto-Binding TLV (Nonce, Compound MAC), Intermediate Result TLV (Success)
Crypto-Binding TLV (Nonce, compound MAC), Intermediate Result TLV (Success)

Identity-Type TLV (User Type), EAP Payload-TLV (EAP Request Identity)

Phase 2 Identity-Type TLV (User Type), EAP Payload-TLV (EAP Response Identity)
User Authentication- can be EAP-MSCHAPv2/EAP-GTC/EAP-TLS/Machine cert or User Authorization PAC

Crypto Binding TLV (none, Compound MAC), Intermediate Result TLV (Success)
Crypto Binding TLV (none, Compound MAC), Intermediare Result TLV (Success)
EAP Success
EAP Chaining (Using EAP-TLS)
Configurations Required
 Enabled both user and machine certificate enrollment via GPO
 Install AnyConnect NAM module
 Configure ISE EAP Chaining authentication/authorization
EAP Chaining Authorization
Goal: Ties corporate employee to corporate machine!
• If both user and machine authenticate successfully, the user is considered using
corporate asset.
• If both or either user/machine fails authentication, restricted or denied access
can be applied via ISE authorization policy.

Access
Privilege
Microsoft GPO Configuration

• User and Machine certificates deployed on corporate LAN only

• Enrollment and AutoEnrollment enabled (User and Computer)
• Not designed for BYOD
ISE EAP-TLS Configuration (and Demo)

 Network Devices and MS AD authentication Added

 Enable EAP Chaining in EAP-FAST protocol
 Set Authentication Policy to allow EAP-FAST protocol
 Define Authorization Compound Condition Expressions for EAP Chaining
attributes
 Create Authorization Policies for each EAP Chaining use case
EAP-Chaining Demo Video!

See Appendix for full step by step instructions

ISE Authentication Logs

• User+Machine = success

• AuthZ Policy = EAP_Chain

EAP Chaining Troubleshooting

• Check Authentication Policy Match?

• Check Authorization Policy match?

MacOS - Machine and User Authentication
• Windows and MacOS use 2 phases of
authentication – Machine/Computer and User
• The built-in Windows supplicant requires the 2
phases to use the same EAP type (EAP-TLS or
PEAP-MSCHAPv2)
• MacOS allows different types (EAP-TLS+PEAP-
MSCHAPv2 for example)
• A system profile is used to provision the
machine/computer authentication while a user
profile is used to define the user authentication
• To use PEAP-MSCHAPv2 machine/computer
authentication, the MacOS device must be
joined to the Active Directory domain
MacOS DCE/RPC Certificate Provisioning
• With OS X Lion (MacOS 10.7) and later, you can acquire a certificate from a
Microsoft Certificate Authority using the com.apple.adcertificate.managed profile
payload
• Mountain Lion (Mac OS 10.8) transitions to the use of the DCE/RPC protocol
instead of SCEP or the Web Portal
• It also offers more flexibility for choosing the certificate template to use for
issuance
• These methods can be used to provision a system profile on Macbook
computers:
• OS X Server’s Profile Manager
• Double-clicking on a custom-built .mobileconfig file
• third-party Mobile Device Management (MDM) server
 MDM Provisioning
Use Case #3, Corporate
non-Domain Devices
Meraki Systems Manager – Certificate Provisioning
The Meraki Systems Manager EMM can enroll mobile devices and provisioning
certificates with:
• A built-in Cisco Systems CA in the Cloud offering
• A SCEP Certificate signed by a private Certificate Authority
• Active Directory Authentication/Authorization for enrollment:
• Using the MX appliance as a proxy to your AD Domain
• Using a Windows/MacOS Systems Manager Agent on a managed device as a proxy to
your AD Domain
• Allows the provisioning of the AD username in the Certificate Common Name
Meraki Systems Manager – Onboarding Flow
Authentication
Onboarding

Customer Site

SCEP Cert
Enrollment Authenticatio MX Security
n Appliance

Active Directory

MR Access Point
Meraki Systems Manager SCEP Configuration
• The Meraki Systems Manager uses a default SCEP certificate for provisioning:

Default SCEP
Certificate

ISE Integration Parameters for

Wired/WLAN authentication
 Meraki Systems Manager SCEP Configuration
• The SCEP certificate can be re-signed with a private CA
• ISE can then match the issuer information in an Authorization Policy
1. Download CSR

3. Upload Cert

2. Sign the CSR

Meraki Systems Manager - Default and Signed
SCEP Certificate

Default SCEP Certificate

CA-Signed SCEP Certificate
OU= Organization ID

Issuer Information
Meraki Systems Manager - Defining an EAP-TLS
Profile for a Managed Device
Profile Definition

Identity Certificate
Trusted Certificates
To be pushed
Airwatch - Certificate Provisioning
The Airwatch EMM offers multiple mechanisms to deliver certificates to managed devices:
• Built-in CA with on-premise appliance or cloud offering
• Integration with 3rd-party Certificate Servers using SCEP and Microsoft ADCS using
DCOM/NDES/SCEP

On-Premise:
• Direct Active Directory
authentication/authorization
integration for enrollment
Airwatch - Certificate Provisioning
Cloud Based:
• Active Directory Authentication/Authorization for enrollment and for Certificate Services
through the Airwatch Cloud Connector (ACC) installed on a domain member:
Airwatch Certificate Template

Subject
Definition

SAN Definition
Airwatch Certificate Attributes

Note: DeviceWLANMac or Device UDID

must use a SAN Type = DNS Name
Airwatch – Defining an EAP-TLS Profile for a
Managed Device

Trusted Certificates
To be pushed

WIFI-Authentication
Definition
Asset Differentiation with
Certificates
Common Name vs Fully Distinguished Name
• The Subject Name in a Certificate can be auto-populated with information from the Active
Directory Directory Services. Typically values are the Common Name and the Fully
Distinguished Name

• Common Name: String Attribute Type

DC Domain Component
The CA creates the subject name from the common name
(CN) obtained from AD DS. This should be unique within a CN Common Name
domain but might not be unique within an enterprise. OU Organizational Unit Name
O Organization Name
• Fully Distinguished Name:
STREET Street Address
The CA creates the subject name from the fully L Locality Name
distinguished name obtained from AD DS. This ensures that
C Country Name
the name is unique within an enterprise
UID UserID

131
Common Name vs Fully Distinguished Name
The Certificate Template used will define if the CN or the FDN is used to populate
the Subject Name in the Certificate generated:

Common Name*

Fully Distinguished Name

*Common Name is typically used

for the base Computer
Authentication certificate template
132
Asset Differentiation – Certificate Attributes
• The Common Name in the certificate can be used to authorize access based on the
validity of the AD computer/user account in ISE
• Can be used to identify a Corporate Assets or an Employee with the Domain
Member/Domain Users attribute

133
Asset Differentiation – Distinguished Name
• Fields in certificates can be used to differentiate assets and access in ISE
Example: The Organizational Unit (OU) could be used to identify Corporate
Assets

OU=Corporate Assets

134
Asset Authorization and Differentiation
• ISE 1.3 exposes an attribute that maps the certificate template used to issue the
certificate (with an external Microsoft CA only, with ISE CA in 2.0)
• This can be used to identify the access control use cases and provide
differentiated access and authorization:
Authorization rule1 – Template Name = SCEP_BYOD -> Personal Devices Employees
Authorization rule2 – Template Name = Airwatch_template -> Corporate Mobile Devices
Authorization rule3 – Template Name = Computer -> Corporate PCs
Authorization rule4 – Template Name = DCE_RPC -> Corporate Macbooks

• Further differentiation can be done using other attributes in CN/SAN (ex: AD

username/groups) or with Machine + User linkage rules
• The Certificate Template attribute can not be used with a Meraki Systems
Manager but the OU could be used to identify this use case as a workaround
Asset Authorization and Differentiation
Summary of Attributes

Attribute Description

Common Name Win811.ciscolive.demo

CN=Win811,OU=Corporate
Distinguished Name
Assets,DC=CISCOLIVE,DC=DEMO
Email (User) slevesqu@ciscolive.demo
Internet-style login name:
User Principal Name
slevesqu@ciscolive.demo
Used to define instances of a service on
Service Principal Name a server or client. In this case:
HOST/Win811.ciscolive.demo
DNS Name FQDN: Win811.ciscolive.com

137
 NED
NED Z. Talks! Talks

• Certificates for pxGrid

• Adaptive Network Control with ISE & Lancope Stealthwatch
• Identity for Cisco Web Security Appliance (WSA)

• Certificates for Decryption

• FirePower (NGFW/NGIPS)
• Web Security Appliance
 For More information
Quick Introduction to pxGrid on pxGrid check out
BRKSEC-2695

• Used to exchange information between ISE and Everything Else

• Publisher / Subscriber Module
• Certificates is used to ensure trust between ISE and 3rd Party

Exchange of Information

Publishing / Subscribing
ISE 3rd Party
ISE

Certificate for pxGrid

doing Adaptive Network
Control (ANC) with
Lancope StealthWatch
Adaptive Network Control
Another use case for Certificates
• Formerly called Endpoint Protection Services (<= ISE 1.3)
• Have this great Identity Access Control Network built on Certificates and PKI
Infrastructure, now what ?
• ISE Collects all this great information like Posture, Port, Network Access device,
MDM Status, Device and IDENTITY!!!

• So lets leverage it! Mitigation = Quarantine

What is Lancope StealthWatch?
Part of Cisco’s Cyber Threat Defense leveraging Netflow
Configuration Summary

ISE 1.3+ Lancope Stealthwatch 6.6(1)

• pxGrid Node • Define Settings for ISE Cluster(s)
• Generate key and certificate for • Import ISE System certificates
pxGrid • Import CA Certificate(s)
• Import pxGrid certificate • Import pxGRID certificate(s)
• Export System/pxGrid • Add Cisco ISE Mitigation [pxGrid]
certificates
pxGrid Node
ISE Configuration

• Administration > Deployment >

Edit Node > Assign pxGrid Persona

• Plus licensing required

• Uses XMPP for exchange
pxGrid Certificate
ISE Configuration
• Certificate needed to Trust
recipient(s) of Identity Information

• Required for each node(s) running

pxGrid persona

• These certificates will be exported

and imported into Lancope
 Export System Certificates
ISE Configuration

• Via UI, one by one -> Administration >
Certificates > System Certificates >
Select Certificate, Then Export
• Via CLI -> application configure ise
• Enter 7 to export the certificates and
keys

• Requires repository
ISE Deployment Node
Lancope Stealtwatch using Web UI
• Define Port
• Define Account
• Define MnT &
Policy Node(s)
Import Certificates (CA, pxGrid, ISE System)
Lancope Stealthwatch Configuration – Access via Admin UI
• Need to establish trust with ISE for Mitigation
Added CA Certificate shown below
• Access via
Verification of Identity (via syslog)
Authentication Details / Identity & Device Table

• ISE UI via Details of

Authentication session or
Reports
• StealthWatch Web UI -> Users View or Searching by User
ISE Mitigation
Lancope Stealthwatch Configuration for ISE 1.3+
• To be able to Quarantine and Un-quarantine, you must define the pxGrid node
Verification of Mitigation
• Search by User or IP allows you to Manual Quarantine/Un-quarantine via ISE
pxGrid. Eg Suspect Data Loss, Hoarding, SSH Exfiltration…
Verification of Mitigation
• Dynamic Authorization (COA)
Verification of Mitigation
• Results from ISE
• Custom blackhole page displayed
Verification Subscription in ISE
• Navigate in ISE Web UI to verify pxGrid subscriptions
• Administration>pxGrid Services > Live Log
• Operations > Reports > pxGrid Audit Report
ISE WSA

Certificate for pxGrid for

Identity with Web Security
Appliance (WSA)
WSA Identity
Another use case for Certificates
• Have this great Identity Access Control Network built on Certificates and PKI
Infrastructure, now what ?

• ISE Collects all this great information like Posture, Port, Network Access device,
MDM Status, Device and IDENTITY!!!

• So lets leverage it! Session Directory

TrustSec Metadata
Why pxGrid with WSA for Identity?
WSA implemented as a transparent proxy and requiring identity. That means a
user logged into AD will authenticate transparently (no user interaction).
But what about BYOD devices….

Transparent Authentication not

available on BYOD.
Username is not available to
proxy
Configuration Summary

ISE 1.3+ [shown in previously] WSA 8.5+

• pxGrid Node • ISE Configuration for Admin,
• Generate key and certificate for Monitoring and pxGrid personas
pxGrid • Define Identity Policy using ISE
• Import pxGrid certificate pxGrid
• Export System/pxGrid
certificates
• Import WSA identity Certificate
Import WSA Certificate in ISE
Navigate to Administration > Certificates >
Trusted Certificates > Import

Import WSA Identity Certificate

ISE Configuration on WSA
Enable ISE Service

Import Certificates and Key

WSA Identity Cert
Root Certificate
Test pxGrid on WSA
Test Communication verifies Configuration:

Certificates

Exchange of TAG

Available at Bottom of ISE Configuration

Define Identification Policy WSA
• Navigate to WSA Web UI to Web Security Manager > Identification Profiles

• Subnet and protocol

used to trigger ISE as
an identity source
Verification on WSA
• Navigate to WSA Web UI to Monitoring > Users

• Usernames like nzaldiva is

discovered/authenticated
via ISE pxGrid
Verification Subscription in ISE
• Navigate in ISE Web UI to verify pxGrid subscriptions
• Administration>pxGrid Services > Live Log
Operations > Reports > pxGrid Audit Report
Certificates for Decryption
Decryption – Another use case for Certificates
• You’ve built this PKI environment lets use it for Decryption
• Why? It is all about the Visibility and Threats
• Better Application Control
• HTTPS – Google, Facebook, Salesforce….
• Data leaving Check out BRKSEC-
2525 – Networks
Impacts of HTTPS
Transport Encryption
Certificates for Decryption
with FirePOWER
Integration SSL Decryption
• FirePOWER 7000/8000 Appliances (series 3 only) running 5.4+
• Slated for ASA + FirePOWER Services with 6.0
• Multiple Deployment modes
• Inbound passive (with known keys)
• Inbound inline (with or without keys)
• Outbound inline (without keys)

• Flexible SSL support for HTTPS & StartTLS based apps

• E.g. SMTP, POP, FTP, IMAP, Telnet
• Centralized enforcement of SSL certificate policies
• e.g. Blocking; self-signed encrypted traffic, SSL version, specific Cypher Suites,
unapproved mobile devices
Inbound Passive Deployment Internal Server
Integrated SSL Decryption Encrypted
‘#$!...’
• Monitoring incoming server traffic
• Tap creates copy of all traffic
• Server’s key needed to decrypt Network Device FirePOWER

• Detection only, not prevention

Encrypted
‘#$!...’ Decrypted
‘abc...’

Encrypted
‘#$!...’

Client
Inbound Inline Deployment Internal Server
Integrated SSL Decryption Encrypted
‘@!<...’
• Protecting incoming server traffic
• Policy determines what to inspect
• Server’s key needed to decrypt FirePOWER
Decrypted
• Detection and Prevention ‘abc...’

Encrypted
‘#$!...’

Client
Outbound Inline Proxy Deployment External Server
Integrated SSL Decryption Encrypted
‘@!<...’
• Protecting outgoing client traffic
• Policy determines what to inspect
• Root CA/key needed to re-encrypt FirePOWER
Decrypted
• 2 Separate sessions established ‘abc...’

• Detection and Prevention

Encrypted
‘#$!...’

Client
Outbound Inline Proxy Configuration Summary
Configuration on FireSIGHT Management Center
• Install Root Certificate with Private Key for MiTM
• Download CA certificate
• Backup CA certificate in Certificate Authority
• Convert PFX/P12 certificate to PEM
• Import CA certificate into FireSIGHT

• Configure New SSL Policy which defines decryption criteria

• Assign SSL Policy to Access Control Policy
• Verify decryption
Download Root CA Certificate
• Navigate to http://<CA>/certsrv/

• Download CA Certificate

• DER Format

• [Option]Export Certificate using

• MMC(PC) Or KeyChain Access (Mac)
Export CA Certificates with Private Key
• Navigate to Certificate Authority Administrator Tool on Microsoft CA
• Select Back CA or use Certutil -backupKey
• Export from PC because Certificates are marked Non-Exportable
 Convert CA Certificate
• Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to
PEM
• Use openssl or Online SSL Converter

openssl pkcs12 -in rootCA.pfx -out

rootCA.pem -nodes

• Openssl binaries available on

https://openssl.org
Import CA Certificates & Private Key
• Navigate in FireSIGHT to Objects >PKI>Internal CA
• Select Import CA
• Certificate File should be in DER or PEM

• Downloaded or Export Root Certificate

• Backup & Converted Root Certificate

(only text including BEGIN/END Private Key
should be included)
Define SSL Policy
• Any Rule used to trigger Decrypt-Resign using Certificate from CA, more
specific options available for Triggering
Imported Root CA Certificate
with private key

Needed for Man in the Middle

Advanced Setting in Access Policy
• Tying the Access Policy to the SSL Policy
• Disabled by default
Verify Decryption – Example Google Mail

Notice Certificate Path now

includes Installed Root CA

Google certificate has been

resigned using Installed Root
CA Certficate
Verify Decryption
FireSIGHT Connection Events
• Certificate details stored for each decryption
SSL Decryption Testing: Verification
Google.com Gmail.com Yahoo.com mail.yahoo.com dropbox.com box.com facebook.com
Windows

IE 11 yes yes yes yes yes yes yes

Firefox 37.0.1 yes* yes* yes* yes* yes* yes* yes*

Chrome bypass** bypass** yes yes yes yes yes

OSX

Safari 7.1 yes no yes yes yes yes yes

Firefox 36.0.1 no no no no no no no
no***, images
Chrome bypass** bypass** no*** jacked yes yes yes
* requires RootCA (without key) certificate in trusted store
** bypassed because *.google.com is verified by chrome
*** ERR_SSL_PROTOCOL_ERROR
Troubleshooting Errors
FireSIGHT Connection Events
• Add more rows to Connection Events for troubleshooting
 Demo of FirePOWER
Decryption

** Demo Video **
Certificates for Decryption
using Web Security
Appliance
Integration SSL Decryption
Cisco Web Security Appliance
• Superior Performance starting with WSA 8.0

• Deployment either WCCP or Explicit Proxy

• Used for Decrypting HTTPS traffic so you can apply HTTP policy to traffic
Outbound Proxy Deployment External Server
Using WCCP or Explicit for Traffic Redirection Encrypted
‘@!<...’
• Protecting outgoing client traffic

• Decryption Policy determines what to inspect WSA

Decrypted
‘abc...’

• Root CA key needed to re-encrypt

Encrypted
• 2 Separate sessions established ‘#$!...’

Client
Outbound Proxy Configuration Summary
Configuration on WSA
• Install Root Certificate with Private Key for MiTM

• Configure Decryption Policy

• Verify decryption
Import CA Certificate
• Navigate in WSA to Network > Certificate Management
• Select Import
• Please include
private key
Define Decryption Policy
• Navigate to WSA Web UI to
Web Security Manager > Decryption
Policies

SGTs from pxGrid used for

selection criteria
ISE Verification
Decryption Policy <-> SGT
• Navigate to ISE UI
• Operations > Authentications
Or
• Operations > Reports > Radius
Authentications
Verify Decryption – Example Google Mail

Notice Certificate Path now

includes Installed Root CA

Google certificate has been

resigned using Installed Root
CA Certficate
ISE PKI TAC FAQs
Troubleshooting: ISE TAC FAQs
1. Q: Certificate Renewal on ISE. How?
Ans: Install a new certificate with future start date prior to expiration of old certificate.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-
00.html

2. Q: Apple iOS, SCEP not working with ISE cert from external CA
Ans: Update the Root CA cert in ISE certificate

3. Q: ISE support for non-Windows CA? Such as DogTag?

Ans: Unofficially supported. Not been tested on large scale deployment.
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/116237-
configure-dogtag-00.html

4. Q: ISE certificate Generation for BYOD. MS CA missing SAN entries?

Ans: http://technet.microsoft.com/en-us/library/ff625722%28v=ws.10%29.aspx
Summary
“PKI is a Journey, not a destination”

Review Deployment
Understand PKI/CA and Configurations
Deployment Use Cases
“How to…”

PKI

MDM Provisioning Identity via pxGrid and

Cert Revocation HTTPS MITM
Participate in the “My Favorite Speaker” Contest
Promote Your Favorite Speaker and You Could Be a Winner
• Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle <@jerrylin_run, @n3d>
• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Complete Your Online Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner
will receive a $750 Amazon
gift card.
• Complete your session surveys
though the Cisco Live mobile
app or your computer on
Cisco Live Connect.
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Appendix

Win2012-RootCA
Installation
http://social.technet.microsoft.com/wiki/contents/articles/12370.windows-
server-2012-set-up-your-first-domain-controller-step-by-
step.aspx?PageIndex=2
 Let’s Build a Root CA!
Install the 2012 R2 server
• Building the Enterprise Root CA • Add Roles and Features
Windows 2012 R2 Installation
Adding Active Directory Domain Services
• Install Domain Services
Add DHCP and DNS
AD DS and DHCP install
Continue…
Finish installing AD DS, DHCP, DNS Services

Verify AD DS, DHCP, DNS services

Promoting Domain Controller
• Promote Domain Controller, accept default settings, and REBOOT!
Promoting DC…
Continue…
Continue…
Finish installing domain services
Reboot and Continue…
Verify “CISCOLIVE.DEMO” Domain
• Verify AD Domain installed
• Add Certificate Services Role
Add AD Certificate Services Role
• Add AD Certificate Services
Certificate Services Role Install
• In Tiered CA deployment, only Certificate Authority Role is needed for RootCA!
• In Single* CA deployment, ALL certificate services roles are required.

* Must Install CA role first before

other roles!
Adding AD Certificate Services
Optional: Continuing Certificate Services Install
For Single CA Deployment Only

Click on Add Roles and Features to finish

additional CA services install.
221
Optional: Additional Certificate Services…
For Single CA Deployment Only
Add remaining certificate services
Certificate Services continue

Click Close when

done.
223
Configure Certificate services
 CA Roles Defined

• Certificate Authority: Required for CA services

• Certificate Authority Web Enrollment: Provide enrollment for devices not joined to domain and
users of non-Microsoft OS’s.
• Certificate Enrollment Policy Web Service: Uses HTTPS and CEWS(below) to enroll clients
who is not a member of a domain or not joined to a domain.
• Certificate Enrollment Web Service: Uses HTTPS and CEPWS(above) to enroll clients who is
not a member of a domain or not joined to a domain.
• Network Device Enrollment Service: Same as SCEP (Simple Certificate Enrollment Prototol).
• Online Responder: Based on Online Certificate Status Protocol(OCSP) to dynamically manage
revoked certificates.
Configure CA Roles

• Tiered CA: Only CA role is needed!

• Single CA:
• Cannot install Certificate
Authority and NDES
simultaneously!
• Must install separately or will see
Error condition below.
Enterprise CA
• Specify Enterprise CA and Root CA
Keys and Cryptography
ISE and ASA support SHA1 with RSA
Encryption
CA Name and Validity Period
Default validity period is 5 Years.
Continue…
Finish partial CA roles
Optional: Additional CA Roles
For Single CA Deployment
Administrator account MUST belong to
IIS_IUSRS group!
Continue…
Continue…
 Certificate Enrollment Web Services
Administrator account must belong to
IIS_IUSRS group!
Continue…
Complete CA roles Root CA COMPLETE!
• Complete install and Verify!
 Appendix:
Let’s Build a
Subordinate CA
Similar to installing Win2012 Root CA
Install AD Domain Services

Promote SubCA to domain controller and join existing domain.

SubCA Install
Add Certificate Services
Role

Install Certificate Authority FIRST over all other services.

SubCA: Certificate Services install
Install remaining 5 certificate services

Configure Certificate Services

Must install CA only first!
SubCA Install
Specify Enterprise CA over Standalone

Specify Subordinate CA
SubCA Install
Name the CA

Request a certificate from

the parent CA
SubCA Install
Complete CA install and add more roles

Configure additional role services

Complete SubCA install
• Select RootCA Server Certificate
• All Configured !!!

Back in Win2012-RootCA, see SubCA cert!

Security Cisco Education Offerings
Course
Implementing Cisco IOS Network Security (IINS)
Implementing Cisco Edge Network Security Solutions
(SENSS)
Implementing Cisco Threat Control Solutions (SITCS)
Implementing Cisco Secure Access Solutions (SISAS)
Implementing Cisco Secure Mobility Solutions
(SIMOS)
Securing Cisco Networks with Threat Detection and
Analysis (SCYBER)
Network Security Product and Solutions Training
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com
Description Cisco Certification
Focuses on the design, implementation, and monitoring of a comprehensive CCNA® Security
security policy, using Cisco IOS security features
Configure Cisco perimeter edge security solutions utilizing Cisco Switches, Cisco
Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls
Deploy Cisco’s Next Generation Firewall (NGFW) as well as Web Security, Email
Security and Cloud Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure network access
Protect data traversing a public or shared infrastructure such as the Internet by
implementing and maintaining Cisco VPN solutions
Designed for professional security analysts, the course covers essential areas of Cisco Cybersecurity Specialist
competency including event monitoring, security event/alarm/traffic analysis, and
incident response
For official product training on Cisco’s latest security products, including Adaptive
Security Appliances, NGIPS, Advanced Malware Protection, Identity Services
Engine, Email and Web Security Appliances see
www.cisco.com/go/securitytraining
 Appendix
Certificate Templates
Purpose of Certificate Templates
http://technet.microsoft.com/en-us/library/cc730826(v=ws.10).aspx
• CA’s use templates to define format and content of certificates
• Every template has an unique purpose!
• Users and computers can enroll for different types of certificates
• Each template is controlled with Access Control List to control
read/write/enroll/autoenroll

Example Windows
Certificate Templates
Certificate Template Versions
• Version 1 – Designed for clients and issuing CAs running Windows 2000 OS.
V1 template properties cannot be modified except assigned permissions that
controls access to the template.
• Version 2 – Introduced in Windows 2003 and beyond. More granular control
and supports certificate autoenrollment.
• Version 3 – Includes version 2 features and support for Suite B cryptographic
algorithms created by the US National Security Agency.
http://technet.microsoft.com/en-us/library/cc725838.aspx
Example: Certificate Template Versions

• Computer template is a V1 template and cannot customize any settings other

than permission
• No AutoEnrollment
• Always create a duplicate (V2 template)!!
Example: Certificate Template Versions

• Workstation template is GPO based and offers customized settings (validity

period, key length, etc) since it is a V2 template.
• AutoEnrollment support!
Creating User Certificate Template
• Required for deployment. Must duplicate default template!
• Tools > Certificate Authority > Certificate Template(right-click) > Manage
User Template Settings
Default CA=Win2003, Cert recipient=Win XP
 User Template Settings
Uncheck private key to be exported!
• 2k sized keys is
standard
• Larger keys will
have impact on ISE
and ASA
performance

• Key size larger than

1024 will impact ASA
5505,10,20,40,50
sizing for SSL
Creating User Certificate Template

Default
Default
Issue “VPN User” User Certificate Template

1. Select Certificate
Template to Issue
2. Select VPN User
template
3. Validate new user
template published!
Computer vs Workstation Template?
Which one to use?
• Either one should work
• Simply need to create a duplicate from default to ensure version 2 or higher.
 Workstation Template
• Required for Machine Authentication (EAP-TLS)
• Required for EAP Chaining
• Certificate Authority > Certificate Template, (right-
click) > Manage
• Certificate Template >
WorkstationAuthentication,(right-click) > Duplicate
Workstation Template
Create a Duplicate Workstation Template
Other tabs, leave as Default.
• Request Handling
• Cryptography
• Key Attestation
• Issuance Requirements
• Server
• Extensions
Workstation Template

• When selecting Windows 2008 R2, 2012, or 2012 R2 Certificate Authority

• More Template Options are available
Workstation Template

Many more template options with Win 8.1

Workstation Template
Default Subject name format=None
Issue “Workstation2” Certificate Template

Remove!!

1. Select Certificate
Template to Issue
2. Select Workstation2
template
3. Validate new template
published!
Enable AutoEnrollment in GPO (Computer)

ENABLE Both!
Enable AutoEnrollment in GPO (Computer)
Enable AutoEnrollment in GPO (User)

ENABLE Both!
Enable AutoEnrollment in GPO (User)
 Verification of User and Machine templaces

• Can issue “gpupdate.exe /force” at DOS Command Prompt

• Check C:\Users\<yourname>\mmc for deployed certs
• If no success, check Domain Users/Machine Permissions and GPO!

Default
 Appendix:
Windows 2012: OCSP
Detailed Configuration
Creating Your OCSP Responder Template
• Duplicate the default OCSP Response
Signing template
OCSP Template Properties
OCSP Template Properties
OCSP Template Properties
OCSP Template Properties

Add a CA machine account

Allow account to Enroll

OCSP Certificate Template Created!
OCSP – Certificate Authority Configuration
• Right-Click on
SubCA > Properties
>Extensions
• Selection
Extension: Authority
Information Access
(AIA)
• Click Add to add the
URL used for OCSP
revocation in your
RADIUS server
(ISE)
OCSP – CA Configuration

• Select “Include in the OCSP

extension
OCSP Responder Configuration
• Relaunch Online Responder Managent, Right-
Click, Add Revocation Configuration
OCSP Responder Configuration
OCSP Responder Configuration
ISE OCSP Setup

CRL is only used if

OCSP fails
 Appendix: ISE EAP-
Chaining Configuration
Identity Source Sequences
Enable EAP Chaining in EAP-FAST Protocol
• Select Policy>PolicyElements>Results>Authentication>Allowed
Protocols. Click Add.
Enable EAP Chaining in EAP-FAST Protocol
EAP Chaining Authentication Policy
• Create an EAP Chaining Authentication Policy.
Define EAP Chaining Authorization Compound
Expressions

• Policy > Conditions>Authorization Compound Conditions

• Add name “EAPChain_UserPass_MachinePass”
Outer Tunnel EAP-FAST

• Expression > Network Access > EapTunnel> Equals > EAP-FAST

Inner Tunnel Authentication Method (EAP-TLS)
EAP Chaining Results
“UserPass and MachinePass” Authorization Policy
Authorization Rule for EAP Chaining Corp_Asset

• Select > Authorization. Create or duplicate an authorization rule.

Authorization Policy (UserPass, MachinePass)
Allow_All Authorization Policy

• Allow_All policy can just be Access_Accept to eliminate any 3rd party switch
compatibility.
Installing NAM
EAP Chaining support in AnyConnect 3.1
• Deploy NAM via AnyConnect ISO
• Or, deploy NAM via ASA Headend as part of SSLVPN Group Policy
Configuring NAM (Network Access Module)
Windows Only
• Configuration.xml file, C:\ProgramData\Cisco\Cisco Anyconnect Secure Mobility
Client\Network Access Manager\system\configuration.xml
EAP_Chain_MachineTLS_UserTLS

299
NAM: EAP Chaining Setup
Setup New EAP TLS Configuration
NAM Setup
NAM Setup
NAM Setup
NAM Setup
NAM Setup
 Saving configuration.xml file

• Save configuration file to • On PC system tray, right-click on

newConfigFiles folder! AnyConnect icon > Network Repair
NAM: Client GUI
YouTube Videos
TECSEC-2053
• Macbook Wireless BYOD, ISE 1.3, https://youtu.be/ZK0AYNxYbc4
• Macbook Wired BYOD, ISE 1.3, https://youtu.be/S7E5GNniFsM
• iPad Roaming between Wireless Controllers, https://youtu.be/2GzvkMSmyU0
• iPad Onboarding and Blacklisting, https://youtu.be/mRaX-g24VFk
• iPad Cert Renewal, ISE 1.3, https://youtu.be/1TgervkQCjY
• FirePower HTTPS Decryption, https://youtu.be/7Fl-qG2DCBU
• Windows 7, Wired EAP Chaining, http://youtu.be/jdOdiF3Pozc