topic Re: Cisco ISE 2.3 - Certificate use in Network Access Control

Cisco ISE 2.3 - Certificate use

pgiouvanellis — Wed, 12 Sep 2018 11:41:18 GMT

Hello Everyone ,

We have a 2 PAN & PSN nodes deployment , the one acts as Primary (Admin and monitoring) and other one as Secondary (Admin and monitoring) .

We had to replace the Admin,Portal and EAP Cerificate with new ones due to expiration .

So we created 2 CSRs and we get the Certificates from our provider .

Then we successfully bind the 2 Certificates with CSRs but initially we did not gave any use to Certificates .

After Successfully binding we proceed with giving the certificates the usage we wanted (Admin,EAP ,Portal) .

We first begin from Secondary Node with success the managed .

When we tried to do it on Primary we get the following error .

"Certificate must contain the FQDN '' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension."

The CSRs had no difference in production and the certificatesd we get back also .

Is anyone has any similar problem or has any idea what is going on ?

Thanks !

Re: Cisco ISE 2.3 - Certificate use

paul — Wed, 12 Sep 2018 12:15:15 GMT

Did you double check the cert you got back from the provider to ensure the CN field or SAN field has the FQDN of the primary node? You can do everything with one cert if you want. Just use SAN fields to cover both nodes. It makes things easier at the time of renewal and having a single EAP certificate makes mobile devices have less issues if they have to switch to the other PSN to authenticate.

Re: Cisco ISE 2.3 - Certificate use

Jason Kunst — Wed, 12 Sep 2018 12:19:34 GMT

Great section in admin guide

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#ID71

Re: Cisco ISE 2.3 - Certificate use

pgiouvanellis — Wed, 12 Sep 2018 12:34:43 GMT

I double check everything ,

The odd is that the other certificate which is exactly the same just with different FQDN and SAN was imported successfully with no errors .

How it is possible to add SAN field to Cert right know ?

You mean that i have to generate new CSR with SAN Field import 2 FQDNs one for each node ?

Thank You

Re: Cisco ISE 2.3 - Certificate use

paul — Wed, 12 Sep 2018 16:10:45 GMT

Yes, generate a new CSR with SAN fields to cover every FQDN. Then you have one cert/private key to manage.

Re: Cisco ISE 2.3 - Certificate use

pgiouvanellis — Thu, 13 Sep 2018 12:41:44 GMT

Hello ,

FYI

Yesterday we have import the new certificate for EAP and Portals and we left the Admin Portal ,

since it does not mind us .

After a little time the Portal did not worked properly they were not accessible from anywhere .

The EAP authentication was working properly .

After application stop and application start the problem was solved we were able to

assign the certificate to Admin Portal and Portals was working properly .

This is a walk through that we performed and we manage to bring ISE in working state .