Well, as many of you already know, there are several types of authentication protocols, what all of them have in common is the Extensible Authentication Protocols (EAP) part. There are several differences between all of them, since the level of security they provide to the information you need to provide like user/pass, certificate, tokens or even a SIM card. The complexity to deploy and maintain each of them could be different, I will post an entire section regarding Wireless Security, but for now, we can focus on EAP-TLS, which is one of the most implemented protocols.
Cisco ISE is a AAA server, probably more than that today, ISE is capable of doing profiling, posture validation and BYOD among other nice and fancy things.
When a company decides to provide a BYOD network to employees, they are pretty much allowing them to bring any kind of device like a phone, tablet or laptop to the internal network. Those devices do not belong to the domain or can't be managed or controlled, SE brings to the table a solution for this scenario.
There is a feature known as On-boarding, basically you create policies to identity if the device trying to connect to the BYOD network is an iOS, Windows, Android or MacOS, then a configuration is applied with all details to securely connect to the network, when I say secure, a wireless profile is installed on the device, with settings like WPA2, PEAP or EAP-TLS and SSID, this profile is know as Native Supplican Provisioning profile.
Most of the companies I've seen and worked with preferred to use EAP-TLS for these on-boarded devices, as you already know, EAP-TLS requires certificated on the server (ISE) and client side (device). There are several reason for using EAP-TLS, one of them is because you are not only providing your user/pass to get into the network, you need to have a certificate installed on your device, another would be, if you device is stolen, you can revoke that certificate.
Unfortunately, most of the deployments I've seen do not have a strategy when it comes to renew those certificates. It is easy to renew certificates for ISE, but what about those thousands of devices with certificates about to expire, remember we are talking about BYOD devices, non- domain devices, basically a device that can't be managed with a GPO.
Cisco ISE certificate dictionary contains the following attributes that are used in policy conditions to allow a user to renew the certificate:
Days to Expiry: This attribute provides the number of days for which the certificate is valid. You can use this attribute to create a condition that can be used in authorization policy. This attribute can take a value from 0 to 15. A value of 0 indicates that the certificate has already expired. A value of 1 indicates that the certificate has less than 1 day before it expires.
Is Expired: This Boolean attribute indicates whether a certificate has expired or not. If you want to allow certificate renewal only when the certificate is near expiry and not after it has expired, use this attribute in authorization policy condition.
Additionally, you can use the CertRenewalRequired simple condition (available by default) in authorization policy to ensure that a certificate (expired or about to expire) is renewed before Cisco ISE processes the request further.
I tested all three and found the last one most effective. Here are some screenshots of my tests. In this lab I used ISE 2.0 and a CT2504 running version 18.104.22.168.
The authorization profile is basically the same CWA policy to on-board devices, just make sure the "Display Certificate Renewal Message" is checked.
I put on-boarded or registered devices in to a Identity Group called "BYOD" and called the "CertRenewalRequired" condition, as a result the device will be redirected to the CWA for renewal process. The way I test this, I changed the ISE Internal CA to issue certificates valid for 1 day, so I could hit the renewal policy.
Hitting the Policy
Here you can see when I hit the policy because the certificate was about to expire.
Certificate Renewal for my IPad
And finally my device is redirected to the CWA to get a new certificate.
I hope this has been helpful and informative for you, thank you for reading!