topic Re: Ise Deployment Question in Network Access Control

Ise Deployment Question

benolyndav — Tue, 12 Dec 2023 11:54:24 GMT

If i Generate a new self signed Cert on the primary node and use for multi use one being Admin would the application restart affect the secondary node? or would this carry on serving Clients as normal.??

Thanks

Re: Ise Deployment Question

balaji.bandi — Tue, 12 Dec 2023 12:01:43 GMT

If the clients have valid certs they should not be effected.

what kind of cert you replacing, admin certs ? - adding new Cert does not need ISE to reload.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

Re: Ise Deployment Question

MHM Cisco World — Tue, 12 Dec 2023 12:04:35 GMT

can I know what service for Client you use in Secondary Node ?
MHM

Re: Ise Deployment Question

MHM Cisco World — Tue, 12 Dec 2023 12:23:43 GMT

friend they will effect be careful.
Admin Cert. in distribute mode is important
check before apply any change
MHM

Re: Ise Deployment Question

benolyndav — Tue, 12 Dec 2023 12:24:02 GMT

Sorry pressed the wrong button didnt want to accept solution, its self signed certs and are multi use admin being one of the uses,
also I do see there is a button to renew the cert is that the easiest way to renew>?

thanks

Re: Ise Deployment Question

MHM Cisco World — Tue, 12 Dec 2023 12:31:50 GMT

When you set up a deployment, the node that you designate as the Primary Administration Node (PAN) becomes the Root CA. The PAN has a Root CA certificate and a Node CA certificate that is signed by the Root CA.

When you register a Secondary Administration Node to the PAN, a Node CA certificate is generated and is signed by the Root CA on the Primary Administration Node.

Any Policy Service Node (PSN) that you register with the PAN is provisioned an Endpoint CA and an OCSP certificate signed by the Node CA of the PAN. The Policy Service Nodes (PSNs) are subordinate CAs to the PAN. When you use the ISE CA, the Endpoint CA on the PSN issues the certificates to the endpoints that access your network.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_ise_manage_certificates.html

check this guide, see ISE root CA in PAN
MHM

Re: Ise Deployment Question

balaji.bandi — Tue, 12 Dec 2023 12:42:51 GMT

, its self signed certs and are multi use admin being one of the uses, also I do see there is a button to renew the cert is that the easiest way to renew>?

is the self signed certs you renewing or you replacing ?

what kind of deployment, what ISE version ?

have you checked the document posted above - in related to renewals of certs.

Re: Ise Deployment Question

benolyndav — Tue, 12 Dec 2023 12:54:56 GMT

its the self signed certs that have expired onthe primary admin and secondary admin nodes, theses certs are used for DTLS, Admin, Portal, eap auth.
thanks

Re: Ise Deployment Question

Rob Ingram — Tue, 12 Dec 2023 12:59:56 GMT

@benolyndav applying a new admin certificate to a node will restart the services on that node only. As long as the secondary node provides the same services (RADIUS, TACACS etc) then the clients will continue to be authenticated. It is important the secondary node will need to trust the Primary node's new admin certificate.

If you also use the new certificate for EAP (and any other function) then those clients will need to trust the new certificate, when using a self-signed certificate this won't be easy. The recommendation is to use an internal CA for admin/EAP.

Re: Ise Deployment Question

balaji.bandi — Tue, 12 Dec 2023 13:53:51 GMT

You can start with new Certs on Primary node and later secondary node, the document give you steps.

Client should not see any issue, as long as both system configured correctly to failover to other ISE when one ISE not reachable.

Re: Ise Deployment Question

benolyndav — Tue, 12 Dec 2023 14:53:31 GMT

so the psn nodes are using a cert from an external CA for EAP which is i gues why clients are ok, the Primary admin node is as mentioned using a self signed cert which has expired for admin, eap, portal, DTLS,
so if I generate a new self signed cert for the primary node or use the check box to renew which is the best way,?

then this new cer has to also be in the trusted certs along with all other nodes in the deployment?

Thanks

Re: Ise Deployment Question

balaji.bandi — Tue, 12 Dec 2023 14:58:39 GMT

so if I generate a new self signed cert for the primary node or use the check box to renew which is the best way,?

if the Cert is new you need to add to Trusted store and amend as per requirement.

Re: Ise Deployment Question

benolyndav — Tue, 12 Dec 2023 15:37:00 GMT

Hi Rob

Im thinking about possibly moving the admin use from the expired cert to a cert thats not expired, is this possible,?

Thanks

Re: Ise Deployment Question

Rob Ingram — Tue, 12 Dec 2023 15:40:02 GMT

@benolyndav yes, just click the other certificate and select the usage as "Admin" and apply, the services will then restart. Ensure the other certificate is trusted by the other nodes.

Re: Ise Deployment Question

benolyndav — Tue, 12 Dec 2023 16:03:48 GMT

So just being curious could I select any Cert thats being used for say pxgrid or ise messagin etc and add the Admin use to the Cert.?

Thanks

Re: Ise Deployment Question

Rob Ingram — Tue, 12 Dec 2023 16:07:19 GMT

@benolyndav generally yes you can as long as it's trusted by other nodes etc. Preferably you'd have at least a dedicated certificate for admin role IMO.