topic Re: ISE Deployment Certs in Network Access Control

ISE Deployment Certs

benolyndav — Thu, 07 Dec 2023 17:26:44 GMT

Issue with our ISE Deployment self signed certs have expired so deployment is out of sync, self signed certs are multi use (Admin, Portal, Radius DTLS, EAP)
Is there a certain order to renew the self signed cert and get the deployment back in sync.??

Thanks

Re: ISE Deployment Certs

Rob Ingram — Thu, 07 Dec 2023 17:31:26 GMT

@benolyndav it's the Admin cert that is used for the ISE nodes to communicate. When you replace this certificate the ISE services are restarted. Best to do this in a change window. Once all nodes have a new Admin certificate then the ISE cluster should be in sync again.

Re: ISE Deployment Certs

benolyndav — Thu, 07 Dec 2023 17:35:06 GMT

Thanks for that, whats the best way to do this e.g what order ?? and steps, have you any good links for this info at all ?
Thanks

Re: ISE Deployment Certs

Rob Ingram — Thu, 07 Dec 2023 17:39:46 GMT

@benolyndav here is the offical Cisco ISE guide to renew certificates and the steps required. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

FYI, it's recommended not to use the self-signed certificates in production.

Re: ISE Deployment Certs

benolyndav — Thu, 07 Dec 2023 19:08:15 GMT

Again Thanks

When the ISE is installed, it generates a self-signed certificate. The self-signed certificate is used for administrative access and for communication within the distributed deployment (HTTPS) as well as for user authentication (EAP). In a live system, use a CA certificate instead of a self-signed certificate.

when it says user eap authentication which users does it refer to is it ISE Admins ??

also Ive inherited this deployment whats the downside of using self signed for this please.?

Thanks

Re: ISE Deployment Certs

Rob Ingram — Thu, 07 Dec 2023 19:15:53 GMT

@benolyndav the EAP certificate is the certificate presented to the endpoints/clients devices when authenticating using dot1x. Generally the EAP certificate issue by an Internal CA (such as from Windows AD PKI), which is then trusted by domain computers. Using a self signed certificate for EAP means the endpoints would not trust this certificate and would cause authentication issues.

Re: ISE Deployment Certs

MHM Cisco World — Thu, 07 Dec 2023 19:25:50 GMT

There is many certificate

Some not all

1- admin use to access gui of ISE

2- portals cert use for web auth

3- eap cert use for radius EAP-TLS and other EAP auth

When you use CSR there is field you can select for which this cert. Will use.

So dont confuse admin is different than portal.

MHM

Re: ISE Deployment Certs

MHM Cisco World — Thu, 07 Dec 2023 19:28:51 GMT

Additional to @Rob Ingram link

Check this link also

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

MHM

Re: ISE Deployment Certs

benolyndav — Thu, 07 Dec 2023 21:00:54 GMT

So would the PSN Nodes have different certs than the PAN node. ?? e.g for EAP

Thanks

Re: ISE Deployment Certs

Rob Ingram — Thu, 07 Dec 2023 21:05:45 GMT

@benolyndav admin certs would be different for each node, the EAP cert can be different or the same cert (multi domain cert or wildcard).