topic Re: How To: Implement ISE Server-Side Certificates document in Network Access Control

How To: Implement ISE Server-Side Certificates document

ffadhilpi — Thu, 26 Oct 2017 20:54:06 GMT

Hi Forum,

In this document (page 14) where u use the same cert on all PSN's.... I'm planning to use the same cert on all PSN's only for EAP authentication. CN in the cert will be something like aaa.company.localdomain

my questions:

Don't the hostname of every PSN has to be aaa.company.localdomain ??otherwise the hostname won't match the CN and client supplicant would reject the cert??

let me know.

thanks,

Re: How To: Implement ISE Server-Side Certificates document

Jason Kunst — Thu, 26 Oct 2017 22:04:10 GMT

Check this out

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

Re: How To: Implement ISE Server-Side Certificates document

ffadhilpi — Thu, 26 Oct 2017 22:44:12 GMT

are you trying to point wild card certs?

Windows machines don't support RADIUS auth to a wild card cert!

Re: How To: Implement ISE Server-Side Certificates document

Jason Kunst — Thu, 26 Oct 2017 22:58:46 GMT

Yes, Actually they do, a wildcard in the SAN, it’s shown on the admin guide page

Otherwise you would need to have one cert with the following

Each host will resolve to the SAN name

CN aaa.domain.local

San aaa.domain.local

Then every host psn name

Psn1.domain.com<http://Psn1.domain.com>

PSN2.

Psn3

Sponsor.domain.com<http://Sponsor.domain.com>

Mydevices.domain.com<http://Mydevices.domain.com>

Etc

This works ok if your hosts are static but if you wanted to add more psn or other services later then you would need to purchase another cert

Re: How To: Implement ISE Server-Side Certificates document

ffadhilpi — Thu, 26 Oct 2017 23:27:52 GMT

I think I caused a confusion.

Sponsors and portal are our of picture. This is purely for EAP auth.

If the CN is aaa.company.localdomain

and no SAN's (as far as I know SAN is not evaluated in a RADIUS transaction)

should it matter what the hostname of my PSNs is? as long as the root CA is trusted?!

Re: How To: Implement ISE Server-Side Certificates document

hslai — Fri, 27 Oct 2017 01:02:09 GMT

You are correct on this.

Re: How To: Implement ISE Server-Side Certificates document

Ping Zhou — Fri, 27 Oct 2017 17:53:45 GMT

As long as the root, the signing ca cert, is trusted by your Windows supplicant, the CN field of your PEAP cert doesn’t matter. I named my as “psn.xxx.xxx.org”, works fine for all my PSN nodes that share the cert. (note: obviously my PSN nodes have their unique FQDN)