Table of Contents
Question
A security administrator is using Cisco ISE to create a BYOD onboarding solution for all employees who use personal devices on the corporate network. The administrator generates a Certificate Signing Request and signs the request using an external Certificate Authority server. Which certificate usage option must be selected when importing the certificate into ISE?
A. RADIUS
B. DLTS
C. Portal
D. Admin
Answer
C. Portal
Explanation
When importing a certificate into Cisco ISE for a BYOD onboarding solution, the certificate usage option that must be selected is:
C. Portal.
When creating a BYOD (Bring Your Own Device) onboarding solution using Cisco Identity Services Engine (ISE), the security administrator needs to ensure that the ISE can authenticate and authorize the personal devices of employees on the corporate network. The certificate plays a crucial role in this process, as it will be used to establish secure connections between the devices and the ISE.
In this scenario, the security administrator generates a Certificate Signing Request (CSR) and signs the request using an external Certificate Authority (CA) server. When importing the signed certificate into the ISE, the certificate usage option must be set to “Portal” to ensure that it is used for the BYOD onboarding process.
The “Portal” usage option is specifically designed for use with the ISE’s web portals, such as the Guest, BYOD, and MDM portals. By selecting this option, the ISE will use the imported certificate to secure the connections between the devices and the portal, ensuring that the devices can be onboarded securely.
Here’s why:
- RADIUS: The RADIUS certificate usage option is used for certificates that are used in RADIUS-based authentication scenarios. It is not directly related to the BYOD onboarding solution and is typically used for other authentication methods such as 802.1X authentication.
- DTLS: DTLS (Datagram Transport Layer Security) is a protocol used to provide secure communication between network devices. While DTLS is used within Cisco ISE for specific purposes, such as securing communication between Cisco ISE nodes, it is not directly related to the BYOD onboarding solution or the certificate import process.
- Portal: The “Portal” certificate usage option is specifically designed for the BYOD onboarding solution in Cisco ISE. It indicates that the imported certificate will be used for the Cisco ISE portals that users interact with during the onboarding process. The portals include the Captive Portal, Sponsor Portal, and My Devices Portal, among others. Selecting the “Portal” certificate usage option ensures that the imported certificate is appropriately applied to the relevant portals used in the BYOD onboarding process.
- Admin: The “Admin” certificate usage option is used for certificates associated with the administrative interfaces and services of Cisco ISE. It is not directly related to the BYOD onboarding solution.
The other options are not correct because:
- A. RADIUS: This is a certificate usage option that means ISE uses the certificate for RADIUS authentication or encryption. RADIUS stands for Remote Authentication Dial-In User Service and it is a protocol that provides centralized AAA services for network access. This option is not required for BYOD onboarding because ISE does not use RADIUS for web portal authentication or encryption.
- B. DLTS: This is a certificate usage option that means ISE uses the certificate for DLTS authentication or encryption. DLTS stands for Device Led TLS Session and it is a feature that allows devices to initiate TLS sessions with ISE without user intervention. This option is not required for BYOD onboarding because ISE does not use DLTS for web portal authentication or encryption.
- D. Admin: This is a certificate usage option that means ISE uses the certificate for admin authentication or encryption. Admin certificates are used to secure communication between ISE nodes in a distributed deployment or between ISE and external systems such as Active Directory or LDAP servers. This option is not required for BYOD onboarding because ISE does not use admin certificates for web portal authentication or encryption.
In conclusion, when implementing a BYOD onboarding solution using Cisco ISE, it is crucial to select the “Portal” certificate usage option to ensure the security and integrity of the onboarding portal and its communications with end-user devices.
Reference
- 300-715 SISE – Cisco
- Implementing and Configuring Cisco Identity Services Engine (SISE) – Cisco
- SISE Exam Overview (cisco.com)
- Import and Export Certificates in ISE – Cisco
- How To Implement Digital Certificates in ISE – Cisco Community
- Configure TLS/SSL Certificates in ISE – Cisco
Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) exam and earn Implementing and Configuring Cisco Identity Services Engine (300-715 SISE) certification.