topic Re: ISE authentication question for global uses in Network Access Control

ISE authentication question for global uses

BrianPersaud — Wed, 27 Nov 2019 19:17:36 GMT

Hi All

We have multiple standalone ISE instances and WLC's worldwide. Users travel between sites.

I want to do a SSID with the same name at all sites that has the same setting for computer authentication that would allow computers in the Domain Computers AD group to be allowed on the internal LAN.

The issue I face presently is that each ISE instance has their own certificate. So users would have to "forget the network" and reconnect to the SSID when they travel to a different location.

What would be the best approach to accomplish this?

Currently on ISE 2.4 Patch 10 and AIROS 8.5

Thanks

Brian

Re: ISE authentication question for global uses

jj27 — Wed, 27 Nov 2019 19:33:56 GMT

What PKI is being used to sign the EAP certificate?

If you are using the same PKI to sign the EAP certificate for the nodes worldwide, you can simply export the EAP certificate with private key from one node and then import into the other nodes and check the box to utilize it for the EAP role. It is a common practice to use the same EAP certificate on multiple PSNs for this very reason.

Re: ISE authentication question for global uses

BrianPersaud — Wed, 27 Nov 2019 20:25:36 GMT

Hi We use a Windows CA to sign the certs. Got a question about the process. Every ISE node has a different hostname. Ex mine is torontoise.domain.local and another may be montrealise.domain.local. I know when generating a certificate, the FQDN has to be in the CN. Can I export this torontoise.domain.local cert and use it in the montreal ISE for EAP authentication?

Thanks

Re: ISE authentication question for global uses

Colby LeMaire — Wed, 27 Nov 2019 20:52:28 GMT

Issue the certificate using one of the ISE node's as the Subject/CN and then put each other ISE node's FQDN in the SAN field of the certificate. Then you can install and use the certificate for EAP authentication on all of your ISE nodes. If the FQDN of the node that is doing the authentication isn't located somewhere within the certificate (i.e. SAN field), then the client will not trust it.

Re: ISE authentication question for global uses

BrianPersaud — Thu, 28 Nov 2019 18:05:23 GMT

Thanks for the detailed explanation @Colby LeMaire . Just out of curosity, taking into account that ISE is on .local, would it be possible to use a .com public wildcard certificate as an option for the EAP authentication? Or will it definitely need the .local?

Re: ISE authentication question for global uses

Colby LeMaire — Thu, 28 Nov 2019 22:21:42 GMT

Think about it from the perspective of the client side. ISE is presenting a certificate and the client must verify that the certificate is valid and trusted. To do this, the client side checks the following things:

- Is the certificate valid or expired? Each certificate has a validity period. The current date/time must be within the valid dates of the certificate.

- Was the certificate issued by a CA that the client already trusts, such as Verisign? This is based on the client's Certificate Trust List which can be viewed through browser settings.

- Does the certificate belong to the website or server being visited? The client looks at the FQDN or IP address being visited and verifies that the Subject (CN) matches or that one of the Subject Alternative Name (SAN) fields match.

With that said, if your certificate is issued to "ise.corp.com" but the ISE server's real FQDN in DNS is "ise.corp.local", then the client will see them as different and won't trust it. You could manipulate DNS to resolve "ise.corp.com" to the server's IP address. But ISE may not allow you to install the certificate unless its FQDN is in the certificate somewhere.