topic ISE 1.2 and WildCard Cert in Network Access Control

ISE 1.2 and WildCard Cert

eric.lessard — Mon, 11 Mar 2019 03:53:00 GMT

hello,

i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.

http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise

but there is something that was not answered by his post.

Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node

create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.

Any input would be appreciated

ISE 1.2 and WildCard Cert

Saurav Lodh — Wed, 11 Sep 2013 07:24:47 GMT

new ISE 1.2 does support Wildcard cert server. Please refer to below discussion as well

https://supportforums.cisco.com/thread/2233071

ISE 1.2 and WildCard Cert

Ravi Singh — Wed, 11 Sep 2013 17:39:32 GMT

A wildcard certificate uses a wildcard notation (an asterisk and period before the domain name) and allows the certificate to be shared across multiple hosts in an organization. ISE 1.2 support the use of wildcard certificate. For more information over configuration you can see the below link

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1171325

ISE 1.2 and WildCard Cert

blenka — Thu, 19 Sep 2013 00:20:47 GMT

No you should not be able to register the node in ISE by wildcard certi, because for my knowledge certificates are used for secure the link between node and the ISE device or network.

Re: ISE 1.2 and WildCard Cert

Tarik Admani — Thu, 19 Sep 2013 05:13:42 GMT

Basant,

I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.

I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.

Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html

Tarik Admani
*Please rate helpful posts*

ISE 1.2 and WildCard Cert

bberry — Tue, 18 Feb 2014 22:26:03 GMT

Hello all,

I am in the process of a new ISE deployment and have come across an isue with the wildcard cert and generating the CSR. I have also spoken with TAC and the are telling me the same thing I am reading in the Cisco DOC so am missing somethng somewhere.

I am being told that ISE REQUIRED a FQDN for the CN and then you place the wildcard in teh SAN. So far two different CA providers are tellng me I cannot generate a wild card certificate this way. How has anyone else gotten this to work. When I pressed TAC I was told it would probably work with the CN containing the wildcard but there have been reported issues specifically with microsoft clients. Considering the cost of the cert is several hundred dollars I do not want to be wrong.

Brent

Hi Tarik, Did you have any

Nick Lavender — Tue, 27 Oct 2015 18:35:29 GMT

Hi Tarik,

Did you have any luck with this?

I've got a customer with ISE 1.2.198 and has provided me with a wildcard cert which has the following details:

CN=*.abc.local

SAN=DNS Name ise1.abc.local

SAN=DNS Name ise2.abc.local

SAN=Another 15 or so DNS entries.

Customer is using AD EAP-PEAP(MSCHAPv2) authentication.

Is it possible to simply bind this to each of the ISE nodes (2) as appose to the standard CSR and separate cert for each?

TIA,

Nick