ISE 2.0 Initial Configuration - Creating Certificate Authentication Profiles

In this next post, we are going to create the Certificate Authentication Profiles. This profile is necessary for our authentication methods that we will create in later posts. Since we will be using an EAP certificate-based authentication method in our policy, ISE will compare the certificate received from a client with the one in the server to verify the authenticity of a user or computer. This is considered a much more secure method than the traditional username and password method. 

In the ISE GUI, navigate to Administration>Identity Management>External Identity Management>Certificate Authentication Profile and click Add

You can name the profile a name that makes sense to you. In this lab, I just named it AD_CA_AltName. From the Identity Store drop-down, choose your AD server to tie this certificate template to your Active Directory CA. Make sure the the Certificate Attribute radio button is chosen and from the drop-down box, choose Subject Alternative Name option. This specifies the value of the certificate attribute that ISE must retrieve from LDAP and compare against. On the Match Client Certificate Against Certificate in Identity Store option, I usually keep it at the default which is Only to resolve identity ambiguity

Click Add again and create the following certificate profile which will be for BYOD in later posts: 

After creating the certificate profiles, I start creating the Identity Source Sequences which will be used later for our policies. Navigate to Administration>Identity Management>Identity Source Sequences and click Add. For my lab, I'm going to create an identity source sequence that includes all identity stores:


In order for ISE to issue certificates for BYOD through SCEP, we will now need to configure our SCEP profile. Navigate to Administration>System>Certificates>Certificate Authority>External CA Settings and click Add. In the following page, you will need to provide a name for this profile as well as link to your SCEP server. By default, the URL should be http://CA-ip-address/certsrv/mscep/mscep.dll
Be sure to test the connection on this profile before clicking Submit:


After creating this profile, we will create the certificate template to use this SCEP profile. Navigate to Administration>System>Certificates>Certificate Authority>Certificate Templates and click Add. The name of the template must be the same name of your BYOD certificate template in your Active Directory Certificate Authority. In the case of my lab, I named it BYOD. In the drop-down for SCEP RA profile, use the SCEP profile you just created (SecurityDemoSCEP in my lab) and click Save: