topic Re: Best practices around certificate usage with pxGrid in Network Access Control

Best practices around certificate usage with pxGrid

andrew333 — Fri, 19 Apr 2019 14:12:56 GMT

We are integrating ISE with DNA-C, a Rockwell IoT controller and possibly some other systems for a customer that is using a wildcard SAN certificate from DigiCert for Admin, EAP and portals. What is the best path for pxGrid certificates, in this case as the customer would prefer to avoid using an internal CA? Ideally I'd like to bounce some ideas around with someone like John Eppich.

Many thanks.

Andrew

Re: Best practices around certificate usage with pxGrid

paul — Fri, 19 Apr 2019 15:07:26 GMT

They want to avoid using the ISE internal CA for pxGrid? While you can use other CAs for pxGrid I wouldn't recommend it. You are just making the whole administration of pxGrid and pxGrid clients more difficult. pxGrid certificates are used for authenticating access to pxGrid. pxGrid is only internal facing so I am not sure why they would want to another CA.

Also if the wildcard cert has the wildcard in the Common Name field you will probably have 802.1x issues with some clients. I typically don't use wildcard certs for EAP authentication use case, but if the wildcard is in the SAN field it should be okay.

Re: Best practices around certificate usage with pxGrid

kthiruve — Tue, 23 Apr 2019 02:47:58 GMT

Not sure if you still have issues. ISE and DNAC integration guide explains it all.

Here are the certificate requirement for ISE and DNAC to talk to each other

* The ISE CLI and GUI user accountsmust use the same username and password. * The ISE admin node certificate must contain the ISE IPaddressor fully-qualified domainname(FQDN)in either the certificate subjectname or the SAN.

* The DNA Center system certificate must contain the DNA Center appliance IP or FQDNin either the certificate subjectname or the SAN.

Not sure what version of DNAC and ISE you are using.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-1/install/b_dnac_install_1_1_0P2/b_dnac_install_1_1_0P2_chapter_010.pdf

DNAC and ISE talks to each other using few different ways( SSH, PxGrid, APIs).

So it is not a typical PxGrid peer like others. This is to keep in mind. Please make sure your NTP is synced and DNS works for the integration.

-Krishnan

Re: Best practices around certificate usage with pxGrid

andrew333 — Fri, 26 Apr 2019 13:49:55 GMT

Paul,

Thanks for the response, appreciated as always.

I thought that the certificates used for ISE, DNAC, IoT controller, etc. all had to be issued by the same CA chain and as I understand it DNAC only supports one certificate, so I didn't want to issue it (or for the other systems) from ISE and have problems down the line. The customer wanted to avoid spinning up an internal CA which is the way I've done successful pxGrid integrations before. It looks from Krishnan's response and the DNAC documentation that my assumption was incorrect (and the ISE documentation provides no guidance that I can find!), so I can just use a self-signed cert in ISE, other certs issued to DNAC, IoT, etc. and mutually exchange them.

Cheers,

Andrew

Re: Best practices around certificate usage with pxGrid

rkhan786 — Thu, 09 Apr 2020 23:23:10 GMT

So the self-sign cert in DNAC cannot be used?

Current cert name: CN=kong

Issuer: CN=kube-ca

Authority: Self signed

Expire: xx-yy-zzzz

Re: Best practices around certificate usage with pxGrid

Aileron88 — Mon, 18 May 2020 15:35:41 GMT

It can be used as long as the node IP addresses are in the SAN field.

Thanks