topic cisco ise in Network Access Control

cisco ise

wyfy-2015 — Mon, 11 Mar 2019 06:38:45 GMT

Hi,

I am using an evaluation of cisco ise 2.0 . I have two ssid .One using EAP-PEAP , another using EAP-TLS authentication and i have local microft CA. So how can i do the certificate process in ISE

Thanks

I would recommend starting

nspasov — Tue, 05 Apr 2016 23:28:03 GMT

I would recommend starting with these two things:

Lab Minutes video on EAP-TLS:

http://www.labminutes.com/sec0186_ise_13_wireless_dot1x_eap-tls_peap_1

EAP-TLS Deployment Guide (Cisco):

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

ISE Design Guides:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

I hope this helps!

Thank you for rating helpful posts!

Nobody expects the Spanish

Marvin Rhoads — Wed, 06 Apr 2016 01:50:55 GMT

Nobody expects the Spanish Inquisition!

https://www.youtube.com/watch?v=7WJXHY2OXGE

(Mentioned two things then listed three. 🙂 )

Hi,

wyfy-2015 — Wed, 06 Apr 2016 03:43:41 GMT

Hi,

Thank you Neno and Marvin . Here is another scenario. My inside domain is test.local .So the fqdn is like ise01.test.local and ise02.test.local . For the guest portal , if i want to use an external CA .( I' ll create another A record in zone test.com,ise01.test.com) .

So how can i use ise01.test.com for guest portal instead of ise01.test.local

And in this do i need to import both certificate (local and external)?

Please help

Thanks

Ha ha, good catch Marvin! :)

nspasov — Wed, 06 Apr 2016 16:23:43 GMT

Ha ha, good catch Marvin! 🙂

I have faced this issue

nspasov — Wed, 06 Apr 2016 16:56:23 GMT

I have faced this issue before and it can be done. The important thing to remember is that the domain that ISE is joined to (For groups and users querying) can be different than the domain defined in the CLI. So, you will need to:

1. Change the domain name in CLI from test.local to test.com

2. Change the FQDN in CLI to match your external DNS record

3. Make the necessary DNS entries so the FQDN of ISE can be resolved to ise01.test.com

Also, in the future, never use .local domain 🙂 Perhaps .net instead 🙂

I hope this helps!

Thank you for rating helpful posts!

Hi Neno

wyfy-2015 — Wed, 06 Apr 2016 21:23:44 GMT

Hi Neno

Thanks a million .

After changing the domain name from .local to .com , still i will be able to pull the groups and users from the .local domain .( for us test.com is just a zone in dns ) .

After changing the fqdn ("ip host a.b.c.d sales sales.amer.xyz.com" ) I can create certificate for ise-01.test.com (multiuse) or

create certificate for portal( ise-01.test.com ) ,eap-tls and keep the self signed certificate ?

Now both ise are in a group , after importing new certificate register the node again ?

---------------------------------------------------------------------------------------------------------------

I have another problem . (at present for guest portal i am using ip address instead of fqdn) . When people are accessing guest portal from the laptops the pages taking ages to load

I did tcpdump on ise , i can find a lot of RST Flags

below is the sample trace

1851 15.364956 10.0.109.24 192.168.10.40 TCP 60 51978 → 8443 [RST, ACK] Seq=162 Ack=932 Win=0 Len=0

Thanks again

Hmm, I am not sure about this

nspasov — Fri, 08 Apr 2016 06:17:16 GMT

Hmm, I am not sure about this. Question though: Why use IP address vs DNS with FQDN entry?

Thank you for rating helpful posts!

Hi,

wyfy-2015 — Fri, 08 Apr 2016 22:04:13 GMT

Hi,

Instead of fqdn on the guest portal i used static ip .Thats what i mean

sorry for the confusion

Thanks