topic Re: Admin Certificate Renewal: Impact in Network Access Control

Admin Certificate Renewal: Impact

Tymofii Dmytrenko — Tue, 24 Jul 2018 12:45:12 GMT

At the moment we have individual certificates deployed to each ISE node for Admin purpose. We also have wildcard certificate which we use for EAP Authentication and sponsors portal. The problem is that due to HSTS ISE PSN presents its own Admin certificate when redirection is being performed and hence portal cannot be accessed using portal's FQDN.

So, I decided to use Wildcard certificate for Admin function too, but when I Edited Wildcard certificate to set Admin as one of its functions, I've got the following warning

In my understanding, this means that I will not be able to manage or monitor ISE nodes while this activity takes place. However, is there anyone from Cisco who can confirm the exact impact? Is Authentication going to be affected? Does this happen simultaneously on all nodes in the deployment?

Re: Admin Certificate Renewal: Impact

Rob Ingram — Tue, 24 Jul 2018 12:52:52 GMT

Hi,

It depends on how many nodes you are running in your environment and what services are running on those nodes.

For example, when the services restart on the PAN assuming the PSN service is running on another ISE node then you can still authenticate users, but you do lose the ability to process sessions that would require writing to the database. This link indicates exactly what is and is not available.

HTH

Re: Admin Certificate Renewal: Impact

Jason Kunst — Tue, 24 Jul 2018 17:13:16 GMT

I checked on this and yes services will restart when replacing a cert

Re: Admin Certificate Renewal: Impact

Damien Miller — Tue, 24 Jul 2018 18:59:48 GMT

You assumed correct. When you hit ok on that warning, the application server service will restart. The entire server does not restart though, just one service.

You will not be able to access the gui while the the application server service restarts, and any feature leveraging the gui, such as sponsor guest account portal would be unavailable.

Something to keep in mind is that the warning indicates all nodes including PSNs. This means that if you are using the CWA portal for guest authentication on any other PSNs, that will also be unavailable for around 10-20 minutes.

Re: Admin Certificate Renewal: Impact

Tymofii Dmytrenko — Wed, 25 Jul 2018 15:03:24 GMT

@Damien Miller thanks! This is what I thought. I will raise a change to implement. At the moment we don't use ISE v2.3 for CWA, but this is ongoing project, so I'd better update certificate before it becomes even more critical.

I'll make sure the change happens close to end of day over the weekend just in case.

Re: Admin Certificate Renewal: Impact

Tymofii Dmytrenko — Wed, 25 Jul 2018 15:22:02 GMT

@Jason Kunst are you referring to ALL services, or just Application Service (so, only GUI-based services will not be available, such as Management GUI, CWA, sponsors portals, BYOD portals, so on)? Thanks

Re: Admin Certificate Renewal: Impact

Jason Kunst — Wed, 25 Jul 2018 16:15:16 GMT

All services should be affected because your cert applies to admin

Re: Admin Certificate Renewal: Impact

Tymofii Dmytrenko — Mon, 06 Aug 2018 10:21:53 GMT

Thanks @Jason Kunst. How this activity may possibly affect Radius if that one is using different certificate (endpoint authentication)? Thanks

Re: Admin Certificate Renewal: Impact

hslai — Mon, 06 Aug 2018 14:04:30 GMT

The restart of ISE services includes the session services (RADIUS and T+) regardless the EAP server using a different certificate. On the other hand, no ISE restart if only the EAP server certificate updated.

Please note that it will rolling restart ISE services on all the other ISE nodes, if we change the admin certificate on the primary ISE node.

Re: Admin Certificate Renewal: Impact

Tymofii Dmytrenko — Mon, 06 Aug 2018 14:55:00 GMT

Oh... so this is a MAJOR change with a MASSIVE impact then? Oh my.

Thanks for confirming. At least I know what to expect now.

Re: Admin Certificate Renewal: Impact

hslai — Mon, 06 Aug 2018 15:03:38 GMT

Correct, on the impact of updating the admin certificate on the primary ISE node.

CSCut10928 is an enhancement and not yet implemented. If needed, you may use the workaround for CSCut10928 to reduce the impact.

Re: Admin Certificate Renewal: Impact

Tymofii Dmytrenko — Fri, 14 Sep 2018 14:24:28 GMT

I just thought I will give an update to everyone. So, we've swapped Admin certificate in our Cisco ISE v2.3 environment and I have observed the following.

Only Application Service restarted, other services were not affected (inc Radius authentication)
Service restarted on PAN, and on all other nodes ONE BY ONE as they are listed on the deployment page
Impact was very low (we don't use ISE portals, only RADIUS/TACACS)

This contradicts with the information provided here. I had to go through a pain of raising this as a Major change and going through CAB 😄

Anyway, happy there was no issues at all. Might be useful to anyone who wants to do the same

To summarize,

We had wildcard certificate used for EAP and Portals (sponsors), but NODE-specific certificates for ADMIN (each node had its own crt). This resulted in HSTS issues with Sponsors portal, where initially node presents its OWN ADMIN certificate, followed by WILDCARD PORTAL after redirection. Portal access was broken. We had to promote Wildcard crt to ADMIN function. It was successful, with minum impact and resolved HSTS problem we faced.

Thanks all

Re: Admin Certificate Renewal: Impact

Abid Abdul Latif — Thu, 14 May 2020 19:46:48 GMT

I second what Tymofii Dmytrenko posted there was no impact on Radius / TACACS requests during admin cert renewal process.

Re: Admin Certificate Renewal: Impact

dperera — Wed, 05 Jul 2023 11:09:08 GMT

Thank you Tymofii Dmytrenko. I have done the same recently. This thread was useful as it is not clear in the cisco documentation. Sharing my experience in brief, I renewed admin certificate on 1+1 HA deployment running ISE 3.1 Patch 04. There is no service impact during the application restart because secondary server was working. Once the primary is up, secondary server restarted the application service. In short, certificate renewal process is smooth. The only problem I faced is ”admin certificate” on secondary node is not getting replicated. Below is the error message. Certificate Replication Failed: Admin=****; Server=ISE-01; Message=Failed to replicate certificate **** to node ISE-02 because Cannot delete Admin certificate.

So I had to deregister secondary node from the primary. then it becomes standalone. Import admin certificate to the secondary server and register it again to the primary server. overall process is smooth without any impact on radius and tacacs+ authentication/authorization services. Please note while deregister/reregister process, services of secondary server is getting restarted.

Thanks all