Server 2012 Configuration - Certificate Templates

Certificate Templates will play a big role in ISE and pxGrid integration in our lab and most likely in any production rollout of ISE. ISE has supported being it's own Certificate Authority since ISE version 1.3 but in most production instances, that will be used for BYOD - not for corporate computers. In later blog posts, I will go through a lot of these same steps using the ISE CA but I'd rather cover what's going to be used in the majority of implementations first.

So why are certificates so important? The first things that come to mind is certificate authentication with dot1x. User certificates, computer certificates, or both can be used to authenticate to ISE and allow access to the network. You can also have BYOD certificate templates which are issued via SCEP in ISE to provide access to mobile devices and other BYOD machines that are not part of your Active Directory domain and you would like them to connect to the network without a splash page after the initial enrollment. The pxGrid certificates will be used to authenticate and establish secure communication between your ISE nodes on your network and pxGrid clients whether they be Cisco products or a third-party vendor.

If you're unfamiliar with pxGrid, It's a pretty cool concept. Instead of having to create single-purpose platform-specific APIs to send information between ISE and other products, Cisco developed a created a unified framework for other vendors to use to share context and information bidirectionally. An example of this is say you have Product 1 that has an AD Agent and can map usernames to IP addresses - like your average firewall. While this is great for identifying users, it really doesn't get very specific on where they are accessing the network from, what kind of device, what policy is being applied, SGT, etc. Also, what if they're signing onto the network without a AD account? This would be the case with a sponsor account created through ISE. With pxGrid, the firewall would be able to get granular contextual information from ISE that you otherwise wouldn't see in Active Directory such as their location, what kind of device, their authorization policy, security group tags that are assigned (if any), etc.

In some cases, this firewall could take it a step further and use this pxGrid communicate to mitigate an incident on the network. A good example of this is if you have a client download malware and at the time of download, the firewall could not issue a disposition on that file and allowed the client to download it. After some time, the firewall might discover that file was malware and while it can now block future downloads of that file, it still initially got past the firewall in the first place and there's a patient zero somewhere on your network. With pxGrid mitigation, that firewall could send a message to ISE to blacklist that device from the network until the IT or Security team has a chance to clean the device. That would allow you to create dynamic and automated security based on a condition or vulnerability.

If you're interested, here are some links:

There's a public list of pxGrid Ecosystem partners which you can view here if you're interested:
http://www.cisco.com/c/en/us/products/security/partner-ecosystem.html
Here's a good little one pager as well on pxGrid:
http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at_a_glance_c45-728420.pdf
For you programmers out there, Cisco also has the pxGrid SDK on DevNet:
https://developer.cisco.com/site/pxgrid/

I'm going to walk you through the configuration of the certificate templates. Go to your Start menu and open Certification Authority. On this MMC, highlight the Certificate Templates folder and right-click. Choose Manage

The Certificate Template Console window will open. Highlight the User certificate template first and right-click on it. Choose Duplicate Template.

On the duplicated template, click on the General tab and create a logical name for this template. For me, I was going to be pushing this User certificate down through my group policy so it's aptly named GPO-USER for me

On the Request Handling tab, uncheck the Allow private key to be exported box. There is no reason for this certificate that we need to be allowing the private key to be exported.

On the Extensions tab, highlight the Application Policies and click Edit. Add the Server Authentication policy to the Application Policies

On the Security tab, highlight Domain Users and check the Allow boxes for Read, Enroll, and Autoenroll. This will be important later when we push this through our Group Policy to auto-enroll the user when they sign on our network.

If you want to exclude e-mail addresses from this Certificate template, I would advise going to the Subject Name tab and unchecking email. If not, your certificate will not issue for the user if the user does not have an email address specified in Active Directory.

Click Ok to close this window and save the template.

Next, we will create our computer certificate template. Highlight the Workstation Authentication template and duplicate it just like you did for the User template. On the General tab, choose a good name for this template. For me, I chose GPO-Computer since this will be the Computer certificate template I will be using with my Group Policy.

Under the Extensions tab for this template, highlight Application Policies and click Edit. Click Add and choose Server Authentication like we did for the User certificate template:

On the Security tab, highlight Domain Computers and check the Allow boxes for Read, Enroll, and Autoenroll

On the Subject Name tab, check the User Principle Name (UPN) box and under Subject Name Format, change it to Fully distinguished name:

Click Ok to close this window and save your certificate template.

Next, we will configure our pxGrid certificate template. Highlight the previously created GPO-User template and duplicate this template. On the General tab, name this template Pxgrid.

On the Security tab, highlight Domain Users and be sure to uncheck autoenroll since we don't want this template to be issued through our Group Policy at any point.

On the Extensions tab, edit the Application Policies like we have in previous steps and remove everything except Client Authentication and Server Authentication. These are the critical extensions needed for the pxGrid certificates:

On the Subject Name tab, choose the radio button for Supply in the request

Click Ok to close the window and save the certificate template.

Highlight the User template and duplicate it again. This time we're going to name it BYOD.

Under the Subject Name tab, change it to the radios button of Supply in the request:

On the Security tab, make sure that the Administrator account has access to enroll, read and write the certificate:

Click Ok to close the window and save the template.

Close the Certificate Templates Console window. On the Certification Authority window, highlight the Certificate Templates folder and right-click. Choose New>Certificate Template to Issue and in the pop-up, highlight the templates you just created and click Ok. This will publish the new templates to the Certificate Authority and make them usable

At this point, you should be able to close out the Certification Authority Window. You've now created your BYOD, User, Computer and Pxgrid templates for use and published them in your CA.

For the BYOD certificate, that will be published in the future through SCEP in my lab so there are some additional steps we would need to take in order to get that ready. Go to your Start menu and type in regedit to edit the registry.

In the registry tree, navigate to HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Cryptography>MSCEP

We will want to make sure that we change the following data values for the following to BYOD:
EncryptionTemplate
GeneralPurposeTemplate
SignatureTemplate