https://community.cisco.com/t5/network-access-control/ise-deployment-with-self-signed-certs/m-p/5209845#M592507 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/309358">@REJR77</a> the certificates need to be trusted, so yes if using the self signed certificate import the admin certificate to the other node.</P> <P>If the customer has no PKI environment, use a publically signed certificate for the EAP certificate and PEAP/MSCHAPv2. The clients should already have the public CA certificate in the local computer store, so would trust that certificate. Using PEAP/MSCHAPv2 is no longer recommended though, as this is blocked by Windows credentials guard. The recommendation is to use user/machine certificates for authentication, which you will need a PKI environment.</P> <P>FYI, ISE does have an internal CA builtin, but that is recommended for BYOD environments.</P> Wed, 16 Oct 2024 20:11:03 GMT Rob Ingram 2024-10-16T20:11:03Z https://community.cisco.com/t5/network-access-control/ise-deployment-with-self-signed-certs/m-p/5209842#M592506 <P>Hello</P> <P>Usually I use certificate signed by Internal CA, but my customer does not have an PKI and we need to deploy an ISE deployment with self signed.</P> <P>Do we need to add each ISE admin cert&nbsp; in trusted CA list on the other node ? (PAN Admin certs on secondary Pan and vice versa?)</P> <P>Thx</P> Wed, 16 Oct 2024 20:04:48 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-with-self-signed-certs/m-p/5209842#M592506 REJR77 2024-10-16T20:04:48Z https://community.cisco.com/t5/network-access-control/ise-deployment-with-self-signed-certs/m-p/5209845#M592507 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/309358">@REJR77</a> the certificates need to be trusted, so yes if using the self signed certificate import the admin certificate to the other node.</P> <P>If the customer has no PKI environment, use a publically signed certificate for the EAP certificate and PEAP/MSCHAPv2. The clients should already have the public CA certificate in the local computer store, so would trust that certificate. Using PEAP/MSCHAPv2 is no longer recommended though, as this is blocked by Windows credentials guard. The recommendation is to use user/machine certificates for authentication, which you will need a PKI environment.</P> <P>FYI, ISE does have an internal CA builtin, but that is recommended for BYOD environments.</P> Wed, 16 Oct 2024 20:11:03 GMT https://community.cisco.com/t5/network-access-control/ise-deployment-with-self-signed-certs/m-p/5209845#M592507 Rob Ingram 2024-10-16T20:11:03Z