topic Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices in Network Access Control

3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

mitchp75 — Wed, 31 Oct 2018 21:36:05 GMT

I'm looking for a best practice process for replacing an expiring 3rd party certificate used for Admin/EAP. I inherited a six node deployment and each node has the same Certificate for both roles imported, do all nodes need to have the same Cert for both roles? It seems like the Admin/MnT nodes would only need to have an Admin Cert and the PSN's need both or one?

Also is this still the process: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html

If only one Certificate is used and imported on each node to replace the existing one, is there a document that shows that replacement process or is the install document the best available?

Thank you!!

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Arne Bier — Wed, 31 Oct 2018 22:07:33 GMT

I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access. For what it's worth I'll give you my experience and I would like to hear from other's too.

You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert. Install only where needed. BUT - and here is my personal take on this. EVERY node needs a cert of EVERY role, whether it's used or not. ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert. This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs). Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.

As for renewal. EAP is easy. You click on the install cert, select the node and go! Nothing bad happens (no application restarts).

Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime. I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again. This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.

As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes. But I don't know/think it makes too much difference. But keen to know from others.

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

pan — Thu, 01 Nov 2018 01:28:52 GMT

Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html

Images are missing in the doc but you should be able to understand.

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

anthonylofreso — Thu, 01 Nov 2018 11:26:34 GMT

Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:

ISE Certificates Best Practices

Ensure that all certificate CN names can be resolved by DNS
Use lower case for appliance hostname, DNS name, certificate CN
ISE cert CSR: Use format "CN=<FQDN>" for subject name
Ensure time is synced: use NTP with UTC for all nodes
Signed by Trusted CD - required for each node

For external users/guests, certs should be signed by 3rd-party CA

Install entire certificate chains as individual certs into ISE trust store
Use PEN, not DER encoding for import/export operations

ISE certificates best practices include such recommendations as:

Correct synced by NTP time on all nodes.
All certificates for external users/guests must be signed by trusted CA
PEM encoding is preferable over DER encoding.
When running the ISE Setup wizard, use lowercase for hostname.

Do not use self-signed certificates in production networks (I break this rule)

Certificates are used for all portal communication and EAP

Using a certificate that is already trusted by most clients is a major benefit, especially for guests or visitors not part of corporate PKI

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Nadav — Fri, 02 Nov 2018 13:57:14 GMT

Hi, good info.

You have a small typo: it's PEM not PEN.

Maybe it's worth mentioning that ISE supports multi-SAN certificates as well as wildcard. It can make life easier if you don't mind the security risk.