topic Re: ISE Cert Question in Network Access Control

ISE Cert Question

benolyndav — Mon, 15 Apr 2024 13:31:56 GMT

Do I need to generate a CSR for a cert on ISE its a *cert or can I just add the cert to the ISE Nodes for Portal use.??

Thanks

Re: ISE Cert Question

Rob Ingram — Mon, 15 Apr 2024 14:07:46 GMT

@benolyndav no you do not need to generate the CSR on ISE itself. It can be generated by other means, but when you import the signed certificate into ISE you will need to import the private key.

This is quite common if you use a wildcard/multi-domain certificate.

Re: ISE Cert Question

MHM Cisco World — Mon, 15 Apr 2024 14:00:35 GMT

Yes you need.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

Check this

MHM

Re: ISE Cert Question

benolyndav — Mon, 15 Apr 2024 14:45:34 GMT

@Rob Ingram
Thanks for that, do the Certs have to be apache ??

Thanks

Re: ISE Cert Question

Rob Ingram — Mon, 15 Apr 2024 14:58:42 GMT

@benolyndav I assume you are referring to when processing the CSR via a public provider? Yes, I imagine apache would work.

Re: ISE Cert Question

Aref Alsouqi — Mon, 15 Apr 2024 16:31:51 GMT

You can use "Other" if that is an option, if not any web server template should work.

Re: ISE Cert Question

benolyndav — Tue, 16 Apr 2024 12:38:21 GMT

Hi @Rob Ingram
Yes I was refering to that process, do you know which other formats would work as well.??
also if I select generate CSR do I choose portal now or do the uasgae later,? and also see image do I select all the ised nodes for the CSR ?? and check the wildcard box ?

Thanks

Re: ISE Cert Question

Rob Ingram — Tue, 16 Apr 2024 12:49:24 GMT

@benolyndav that screenshot is if you create the CSR on ISE, I thought you weren't going to do that?

If you do use ISE to generate the CSR when you select "allow wildcard certificate" all the nodes disappear (meaning you cannot select them) and you define the certificate options (CN, OU etc). One CSR is created, get it signed and then import to all the other ISE nodes and assign the usage as Portal.

Re: ISE Cert Question

benolyndav — Tue, 16 Apr 2024 13:08:48 GMT

@Rob Ingram
Hi great I never noticed that, and yes I might have to generate from ISE afterall, So would you suggest leaving as multi use until I have the signed Cert back then when importing to each node there I select portal usage ??

Thanks

Re: ISE Cert Question

Aref Alsouqi — Tue, 16 Apr 2024 13:19:57 GMT

If the cert will be used on the portal then you should select the portal usage and associate the CSR to the portal group that will use the cert, however, even if you select multi-use and then you associate it to the portal usage it would work anyway, but there is no point to do it that way.

Re: ISE Cert Question

MHM Cisco World — Tue, 16 Apr 2024 13:26:50 GMT

Dont waste your time' do csr for portal cert.

MHM

Re: ISE Cert Question

Rob Ingram — Tue, 16 Apr 2024 13:32:43 GMT

@benolyndav If the certificate is just used for Portal select portal.

Selecting the usage of a certificate is just a tick box, you can change the usage of other certificates anytime.

Re: ISE Cert Question

benolyndav — Tue, 16 Apr 2024 14:20:28 GMT

@Rob Ingram

Can the friendly name be anything, its appending the ISE node name on the freindly name, and I need to add to other nodes, does this matter.?

Thanks

Re: ISE Cert Question

Rob Ingram — Tue, 16 Apr 2024 14:23:44 GMT

@benolyndav it can be anything, generally put a useful name related to its purpose.

Re: ISE Cert Question

benolyndav — Wed, 17 Apr 2024 09:06:16 GMT

@Rob Ingram
So got the CSR binded and looks ok, another question I'm assuming I need the new root cert in trusted certs in ISE, what should I select regarding trusted for , and also does addding a cert to trusted certs trigger a services restart.??

Thanks

Re: ISE Cert Question

Aref Alsouqi — Wed, 17 Apr 2024 09:22:25 GMT

Importing the root certificate (and the intermediate cert if used) into the trusted certificates store in ISE does not trigger any applications reload and you need to select the "Trust for client authentication and Syslog" option to allow ISE to accept the negotiation with the clients presenting a certificate issued by that root or intermediate CA.

Re: ISE Cert Question

Rob Ingram — Wed, 17 Apr 2024 09:23:24 GMT

@benolyndav yes you need to import the root and intermediate root certificate, trusted for authentication.

No services won't restart for the portal certificate only admin cert.

Re: ISE Cert Question

benolyndav — Wed, 17 Apr 2024 09:42:15 GMT

@Rob Ingram Which one please there is multiple authentication options

Re: ISE Cert Question

Rob Ingram — Wed, 17 Apr 2024 10:06:07 GMT

@benolyndav "trusted for authentication within ISE" and the sub options.