Skip Links

Simply put: How does certificate-based authentication work?

Let's take some time and review how certificate-based authentications actually work.
Submitted by Aaron Woland on Mon, 03/10/14 - 11:07am.

I find a few universal truths when mentioning certificates to people. Most people I speak with consider them to be a very secure concept almost without fail. However upon mentioning that I want to talk about certificates: that person’s face turns a slightly lighter shade, their eyes get a bit wider, and they have this immediate fight or flight instinct kick in.

I can tell you, this is a subject that does not have to be scary, there are just a few misunderstandings. One such example of a common misunderstanding:

Read more

A primer on support for 'Realm Stripping'

A primer on Realm Stripping, a particularly useful concept in the university space.
Submitted by Aaron Woland on Mon, 01/27/14 - 3:14pm.

I am often asked about support for “Realm Stripping,” albeit mostly by those in the university space. It’s an interesting concept, certainly. The idea is that someone will issue an identity that includes some “routing” information within the identity. For example, a user may issue a username of: From that username, the RADIUS server should be able to strip out the username “johndoe” and use the “” to specify the identity store to query for the username and password.

Read more

Using the DogTag CA with ISE 1.2

A breakdown of the DogTag CA with Cisco's Identity Services Engine 1.2 and newer.
Submitted by Aaron Woland on Wed, 08/14/13 - 11:33am.

Dog Tag is an Enterprise-class open source Certificate Authority that Red Hat purchased from AOL back in 2004.  Red Hat opened it up to the open source community in 2008.  Dog Tag supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.

Most importantly, it is an available CA that has been tested for use with Cisco’s BYOD solution using Cisco’s Identity Services Engine 1.2 & newer.

Note: There is also an Enterprise level version of DogTag known as the Red Hat Certificate System.

Read more

Using VNC for Console Access to ISE (and other) VM's

VMware had the foresight to build VNC into the ESX server, it just didn't make it obvious on how to enable it. That's (hopefully) where I come in.
Submitted by Aaron Woland on Tue, 08/06/13 - 9:44am.

A little less than 1/2 of all Identity Service Engine installations are on VMWare.  Yes it’s true.  About 45% of all ISE nodes deployed in this world are Virtual.  What I don’t know is:  how many are in production and how many are in a lab.

Read more

What are WildCard Certificates, and how do I use them with Cisco's ISE?

A breakdown of WildCard certificates.
Submitted by Aaron Woland on Wed, 07/24/13 - 1:53pm.

A wildcard certificate is one that uses a wildcard notation (an asterisk and period before the domain name) and allows the certificate to be shared across multiple hosts in an organization.  An example CN value for a wildcard certificate’s Subject Name would look like the following:  *.company.local

If you configure a Wildcard Certificate to use *.company.local, that same certificate may be used to secure any host whose dns name ends in “.company.local”, such as:

Read more

Security Group Tagging Basics

An overview of security group tagging.
Submitted by Aaron Woland on Wed, 06/19/13 - 2:09pm.

In my last blog (which admittedly was a bit long, and verbose) I discussed the changing landscape of Identity Networking. With Identity Networking there are many different ways of controlling network access based on the context of a user and device. There is:

Read more

Changing the landscape of identity networking

A rundown of the phases of identity networking (as seen by an overworked identity nut like me).
Submitted by Aaron Woland on Mon, 06/03/13 - 3:07pm.

I was asked to travel to the 2013 InfoSec security conference in Europe this year, and speak about the trends I am seeing in the identity networking game, and possibly speculate on the future of identity in networking as I see it. So I thought to myself: “what a great blog post this could make."

The Phases of Identity Networking (as seen by an overworked identity nut like me):

Read more

How to hack the certificate for a Cisco Identity Services Engine node

A guide to hacking and customizing certificates for Cisco Identity Services Engine.
Submitted by Aaron Woland on Tue, 02/19/13 - 2:02pm.

I just got back from a few weeks traveling around Europe, presenting at Cisco Live Europe, and meeting with customers and partners. It is obvious that this blog is very much needed for a lot of the deployments that we discussed, so as promised in the Load Balancing Blog, I am following up with a blog on how to "hack" the certificate for a Cisco Identity Services Engine (ISE) node, so that we may include entries in the Subject Alternative Name (SAN) field.

Why do we need to do this? 

Read more

Which EAP types do you need for which identity projects?

A primer on different EAP types, which are applicable for differend identity projects.
Submitted by Aaron Woland on Wed, 12/12/12 - 11:19am.

The more interaction I have with customers who are getting started with Identity projects, the more I realize that a simple explanation and comparison of the differences between EAP types is needed.

Read more

How to properly use a load balancer in Cisco's Identity Services Engine

Here are some guidelines for one of the most common problems among those running Cisco's Identity Services Engine.
Submitted by Aaron Woland on Wed, 11/07/12 - 10:56am.

So, this is my first blog post on here. Hope it goes well.

One of the most commonly asked questions of late is how to properly use a load-balancer with Cisco's Identity Services Engine. Here are some basic guidelines to use when configuring a Load Balancer for the ISE Policy Services Nodes (PSNs).

Read more