https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5088124#M589226 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1149933">@Gioacchino</a>&nbsp;- there is a <A href="https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/td-p/4653889" target="_self">previous posting about this that explains</A> why Cisco did this. It's apparently helping us to find certs that are still valid (in terms of date range) but not effectively aligned to an ISE node. I personally don't like this feature because I have found it to be wrong in cases of Guest Portals. ISE gets confused when the PSN node name does not match the cert's CN (two things that have nothing to do with each other and don't need to be identical).</P> Thu, 02 May 2024 20:41:25 GMT Arne Bier 2024-05-02T20:41:25Z https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5087416#M589207 <P>Excellent article <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/25619">@thomas</a> (weird I cannot tag him),</P><P><A href="https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897#toc-hId--379707072" target="_blank" rel="noopener">https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897#toc-hId--379707072</A></P><P>I wonder if the STALE topic has been taken into account (I don't seem to see it), especially when it comes to EAP certificates, where are explicitly told that their CNs might have nothing to do with the ISE nodes names (and this may definitely trigger the STALE flag)</P><P>Gio</P> Fri, 03 May 2024 09:32:26 GMT https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5087416#M589207 Gioacchino 2024-05-03T09:32:26Z https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5088124#M589226 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1149933">@Gioacchino</a>&nbsp;- there is a <A href="https://community.cisco.com/t5/network-access-control/ise-certificate-stale-status/td-p/4653889" target="_self">previous posting about this that explains</A> why Cisco did this. It's apparently helping us to find certs that are still valid (in terms of date range) but not effectively aligned to an ISE node. I personally don't like this feature because I have found it to be wrong in cases of Guest Portals. ISE gets confused when the PSN node name does not match the cert's CN (two things that have nothing to do with each other and don't need to be identical).</P> Thu, 02 May 2024 20:41:25 GMT https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5088124#M589226 Arne Bier 2024-05-02T20:41:25Z https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5088525#M589232 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/158532">@Arne Bier</a> ,</P><P>I have just wondered if this algorithm would apply to EAP auth certs as well, where indeed the CN of the returned cert might have nothing to do with the ISE nodes and the names given it.</P><P>My understanding is that Cisco devs didn't do any distinction.</P><P>Regards, Gio</P> Fri, 03 May 2024 09:31:45 GMT https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5088525#M589232 Gioacchino 2024-05-03T09:31:45Z https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5094850#M589330 <P>Unfortunately I don't know how this mechanism works or why we need it.</P> Thu, 09 May 2024 00:18:29 GMT https://community.cisco.com/t5/network-access-control/certs-in-cisco-ise/m-p/5094850#M589330 Arne Bier 2024-05-09T00:18:29Z