topic ISE pxGrid and Certificates question in Network Access Control

ISE pxGrid and Certificates question

dgaikwad — Thu, 05 Jul 2018 10:56:22 GMT

Hello All,

I have a few queries regarding integrating ISE with IPAM solution from Infoblox.

Since, certificates are pretty important to integrate ISE with other solutions using certificates.

I am going integrate the production instance of IPAM with my test instance of ISE here.

So, what is that, the certificates on IPAM are signed by Commodo, while certificates for ISE are signed by internal intermediate CA server.

Earlier, I had done integration with self-signed certificates, but again those were in test labs, for this one the case is a little different.

The question that I have now is that, if I import the Commodo root certificate and the IPAM application certificate to ISE trusted certificate store and vice versa for IPAM.

Will that still work to allow authentication between ISE pxGrid and IPAM?

Or do I need to have the certificate signed from the CA in order for this integration to work?

Any pointers or ideas?

Re: ISE pxGrid and Certificates question

paul — Thu, 05 Jul 2018 12:25:32 GMT

The certificate running the GUI has nothing to do with the certificate that will be used to join the pxGrid. You should be running your pxGrid using the internal CA running on the ISE servers. Then you issue a certificate/private key that will be used on Infoblox to join the grid. You install that certificate/private key combination along with the ISE internal CA root cert into Infoblox when configuring the pxGrid connection.

Re: ISE pxGrid and Certificates question

dgaikwad — Thu, 05 Jul 2018 12:47:06 GMT

If I get this correct, then this certificate here, that has only pxgird enabled for is the one that I need to export with the key to Infoblox?

Just doing the confirmation, since I am really not that good with certificates though….

Or do I need to export the following that has authentication and other enabled on it to Infoblox?

Thank you,

Dinesh

Re: ISE pxGrid and Certificates question

paul — Thu, 05 Jul 2018 12:51:17 GMT

No under your pxGrid services in ISE you generate the cert/private key for Infoblox. A screen shot is attached.

If you are doing this in Chrome the pop-up to download the .zip file may not work. In the .zip file, when you get it, should be the Infoblox cert and private key in PEM format along with the ISE internal root cert. There will also be the root cert for the Admin GUI, but Infoblox shouldn’t need that from what I am reading.

Re: ISE pxGrid and Certificates question

dgaikwad — Thu, 05 Jul 2018 13:22:02 GMT

Well, this is new for me and never had used this feature before as well...

So, I see that I select Generate Single certificate without signing request

And here at the common name, do I need to enter the CN of the ISE server or the Infoblox server?

Further then import these certificates in Infoblox and it should be good to subscribe to the pxGrid service on ISE, right?

Re: ISE pxGrid and Certificates question

paul — Thu, 05 Jul 2018 13:26:06 GMT

The common name can be whatever you want. If you want to put the FQDN of the Infoblox in there that is fine. You can use a generic CN like I showed in the screen shots. This is how you get a certificate/private key to join pxGrid.

Re: ISE pxGrid and Certificates question

dgaikwad — Thu, 05 Jul 2018 13:35:58 GMT

Thank you for the quick reply, I will go ahead and try this out and update the thread with results!

Re: ISE pxGrid and Certificates question

dgaikwad — Thu, 05 Jul 2018 13:51:17 GMT

There is again one query though, I see that the bundle has also created .key certificate.

I had never used such a kind of certificate before, if possible can you direct me how to use it while importing it in Infoblox?

Re: ISE pxGrid and Certificates question

paul — Thu, 05 Jul 2018 13:57:19 GMT

You can’t use a certificate without a private key. I think the Infoblox wants the cert and key in the same file. Put them together in a file and import that.