https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504349#M537039 <HTML><HEAD></HEAD><BODY><P>Please read <A _jive_internal="true" data-containerid="5301" data-containertype="14" data-objectid="68164" data-objecttype="102" href="https://community.cisco.com/docs/DOC-68164">How To: Implement ISE Server-Side Certificates</A><SPAN style="font-size: 10pt;"> if not already done.</SPAN></P><P></P><P>The choice is usually governed by the organization policies. Option 1 is more secure. Option 2 is more convenient and works better in some cases. For example, Apple iOS and macOS devices will ask to accept the EAP server certificate if not seen before, when performing an ad-hoc connection with PEAP/MSCHAPv2.</P></BODY></HTML> Thu, 10 Nov 2016 03:29:31 GMT hslai 2016-11-10T03:29:31Z https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504348#M537038 <HTML><HEAD></HEAD><BODY><P>What is the preferred method for admin certificates in a multi-node deployment:</P><P></P><P>1) Single cert with multiple SAN for each node</P><P>2) Shared certificate with multiple SAN among all nodes</P><P></P><P>Should I create different cert for each node or just share a single cert among all nodes?</P><P></P><P>Thanks</P><P></P><P>Sam</P></BODY></HTML> Thu, 10 Nov 2016 02:57:32 GMT https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504348#M537038 scamarda 2016-11-10T02:57:32Z https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504349#M537039 <HTML><HEAD></HEAD><BODY><P>Please read <A _jive_internal="true" data-containerid="5301" data-containertype="14" data-objectid="68164" data-objecttype="102" href="https://community.cisco.com/docs/DOC-68164">How To: Implement ISE Server-Side Certificates</A><SPAN style="font-size: 10pt;"> if not already done.</SPAN></P><P></P><P>The choice is usually governed by the organization policies. Option 1 is more secure. Option 2 is more convenient and works better in some cases. For example, Apple iOS and macOS devices will ask to accept the EAP server certificate if not seen before, when performing an ad-hoc connection with PEAP/MSCHAPv2.</P></BODY></HTML> Thu, 10 Nov 2016 03:29:31 GMT https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504349#M537039 hslai 2016-11-10T03:29:31Z https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504350#M537040 <HTML><HEAD></HEAD><BODY><P>Understood. Thank you.</P></BODY></HTML> Thu, 10 Nov 2016 04:29:15 GMT https://community.cisco.com/t5/network-access-control/ise-certificates-in-a-multi-node-deployment/m-p/3504350#M537040 scamarda 2016-11-10T04:29:15Z