Cisco Cisco Identity Services Engine 1.3 Guide D’Information

While using a CA server with Cisco ISE, make sure that the following requirements are met: 

Key size should be 1024, 2048, or higher. In CA server, the key size is defined using certificate 
template. You can define the key size on Cisco ISE using the supplicant profile. 

Key usage should allow signing and encryption in extension. 

While using GetCACapabilities through the SCEP protocol, cryptography algorithm and request 
hash should be supported. It is recommended to use RSA + SHA1. 

Online Certificate Status Protocol (OCSP) is supported. This is not directly used in BYOD, but a 
CA which can act as an OCSP server can be used for certificate revocation. 

EJBCA 4.x is not supported by Cisco ISE for proxy SCEP. EJBCA is supported by Cisco ISE for 
standard EAP authentication like PEAP, EAP-TLS, and so on.

For certificate-based authentication with Cisco ISE, the client certificate should meet the following 
requirements:

Supported Cryptographic Algorithms: RSA

Supported Key Sizes: 1024, 2048, or 4096 bits

Supported Secure Hash Algorithms (SHA): SHA-1 and SHA-2 (includes SHA-256)

5.

While configuring the wireless properties for the connection (Security > Auth Method > Settings > Validate Server Certificate), uncheck the valid server 
certificate option or if you check this option, ensure that you select the correct root certificate.

6.

If you are using Mac OS X clients with Java 7, you cannot download the SPWs using Google Chrome browser. Java 7 runs only on 64-bit browsers and 
Chrome is a 32-bit browser. It is recommended to use either previous versions of Java or other browsers while downloading the SPWs.

11/26/2014

Cisco Identity Services Engine, Release 1.3