topic Re: ISE Certificates - Roaming Between Nodes in Network Access Control

ISE Certificates - Roaming Between Nodes

jonhux891 — Mon, 02 Aug 2021 11:32:54 GMT

What is the best method for deploying EAP certificates within a multi-node deployment where users will roam between sites? Each site has an ISE PSN and the Admin and MGMT nodes are in a DC.

The root CA of the certs that are presented to clients during authentication are pushed to the device VIA the MDM solution. If each node is signed individually by the same CA, will the users be able to roam without having to accept another certificate for EAP or is it best to use a multi-node cert with each Node listed as a SAN in the same CSR?

Thanks

Jon

Re: ISE Certificates - Roaming Between Nodes

balaji.bandi — Mon, 02 Aug 2021 11:48:31 GMT

Same Cert should work for your Roaming solution you looking to deploy.

Re: ISE Certificates - Roaming Between Nodes

jonhux891 — Mon, 02 Aug 2021 12:14:05 GMT

Hi balaji.bandi

Thanks for the quick reply, when you say 'same cert'. Do you mean a single cert with each node list as a SAN or each node can have individual certs that are signed by the same CA?

Cheers,

Jon

Re: ISE Certificates - Roaming Between Nodes

thomas — Sat, 07 Aug 2021 02:14:07 GMT

You have ensured that the root CA cert for the ISE deployment is on each endpoint so they will trust any of the ISE nodes so that is fantastic. This will work regardless of how you do choose to implement you ISE certs - individual ISE node name per cert or a wildcard cert for the entire deployment.

Re: ISE Certificates - Roaming Between Nodes

Mohammed al Baqari — Sat, 07 Aug 2021 17:24:30 GMT

Hi,

Both deployments should work. The main point that you need to have the
certificate chain in the trusted store of the clients. Whether it's same CA
or multiple CAs should be fine.

**** please remember to rate useful posts