https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264051#M595164 <P>Hi</P> <P>How did you manage to create an Admin/EAP cert that contains two different DNS domains?&nbsp;&nbsp;</P> <P>The certificate for Admin/EAP/Radius DTLS is from their internal CA and contains DNS SANs fields using</P> <P>isenode1.mycompany.com</P> <P>isenode2.mycompany.com</P> <P>guestportal1.<FONT color="#FF0000">notmyAD.com</FONT></P> <P>guestportal2.<FONT color="#FF0000">notmyAD.com</FONT></P> <P><FONT color="#000000">That should be technically impossible to do.&nbsp; Your Admin/EAP certificate should only contain mycompany.com SAN entries.</FONT></P> <P>&nbsp;</P> <P><FONT color="#000000">The portal cert should contain notmyAD.com SAN entries. If it's a re-used wildcard cert then it should be fine for Guest Portals. Else, customers usually create a multi-SAN cert that contains these in the DNS SAN fields</FONT></P> <P><FONT color="#000000">guestportal1.notmyAD.com<BR />guestportal2.notmyAD.com</FONT></P> <P>&nbsp;</P> <P><FONT color="#000000">Please don't change your ISE deployment DNS domain from mycompany.com to notmyAD.com - that is not necessary.&nbsp;&nbsp;</FONT></P> <P><FONT color="#000000">Guest Portals operate by using DNS to resolve&nbsp;guestportal1.notmyAD.com and&nbsp;guestportal2.notmyAD.com to the IP address of&nbsp;isenode1.mycompany.com and&nbsp;isenode2.mycompany.com respectively.&nbsp; That's a job for the client's DNS resolver - the DHCP scope must provide a DNS server that can successfully resolve that.</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 23 Feb 2025 22:22:44 GMT Arne Bier 2025-02-23T22:22:44Z https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5263579#M595123 <P>Running ISE 3.3 with 2 nodes running all personas with Active Directory join</P> <P>AD example = mycompany.com</P> <P>The certificate for Admin/EAP/Radius DTLS is from their internal CA and contains DNS SANs fields using</P> <P>isenode1.mycompany.com</P> <P>isenode2.mycompany.com</P> <P>guestportal1.notmyAD.com</P> <P>guestportal2.notmyAD.com</P> <P>Their Guest Portal certificate is from 3<SUP>rd</SUP> party CA and has CN of *.notmyAD.com as well as the following DNS SANs</P> <P>guestportal1.notmyAD.com</P> <P>guestportal2.notmyAD.com</P> <P>mydevices.notmyAD.com</P> <P>*.notmyAD.com</P> <P>The internal admin/eap certificate is on both nodes.</P> <P>The guest certificate only resides on ise node 1.</P> <P>When they export the guest certificate from node 1 and try to import it into node 2 they’ve run into issues related to ISE actual FQDN being in a different domain than the CN or SANs.</P> <P>I’m not sure how it was ever installed into Node1</P> <P>While their AD is mycompany.com, their email addresses are user@notmyAD.com</P> <P>Looking for recommendations on resolution.&nbsp; I think we need to change the domain on the ISE nodes from mycompany.com to notmyAD.com and regenerate certificates?&nbsp; Is there a better alternative?</P> Fri, 21 Feb 2025 16:39:33 GMT https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5263579#M595123 cherie13653 2025-02-21T16:39:33Z https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264051#M595164 <P>Hi</P> <P>How did you manage to create an Admin/EAP cert that contains two different DNS domains?&nbsp;&nbsp;</P> <P>The certificate for Admin/EAP/Radius DTLS is from their internal CA and contains DNS SANs fields using</P> <P>isenode1.mycompany.com</P> <P>isenode2.mycompany.com</P> <P>guestportal1.<FONT color="#FF0000">notmyAD.com</FONT></P> <P>guestportal2.<FONT color="#FF0000">notmyAD.com</FONT></P> <P><FONT color="#000000">That should be technically impossible to do.&nbsp; Your Admin/EAP certificate should only contain mycompany.com SAN entries.</FONT></P> <P>&nbsp;</P> <P><FONT color="#000000">The portal cert should contain notmyAD.com SAN entries. If it's a re-used wildcard cert then it should be fine for Guest Portals. Else, customers usually create a multi-SAN cert that contains these in the DNS SAN fields</FONT></P> <P><FONT color="#000000">guestportal1.notmyAD.com<BR />guestportal2.notmyAD.com</FONT></P> <P>&nbsp;</P> <P><FONT color="#000000">Please don't change your ISE deployment DNS domain from mycompany.com to notmyAD.com - that is not necessary.&nbsp;&nbsp;</FONT></P> <P><FONT color="#000000">Guest Portals operate by using DNS to resolve&nbsp;guestportal1.notmyAD.com and&nbsp;guestportal2.notmyAD.com to the IP address of&nbsp;isenode1.mycompany.com and&nbsp;isenode2.mycompany.com respectively.&nbsp; That's a job for the client's DNS resolver - the DHCP scope must provide a DNS server that can successfully resolve that.</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 23 Feb 2025 22:22:44 GMT https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264051#M595164 Arne Bier 2025-02-23T22:22:44Z https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264069#M595166 <P>It is possible to submit a CSR and get a cert because we used to have the same a while back during some mergers.&nbsp; We don't now, but our AD now has trust to all the other domains. <BR />I did just test this in my home lab using openssl with a Windows CA and successfully installed the cert in my ISE 3.4 node.&nbsp; I didn't apply it to my admin, but I may try to do that on a test node just to see.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScottFella_0-1740356346380.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/240461i3B716757287416A5/image-size/large?v=v2&amp;px=999" role="button" title="ScottFella_0-1740356346380.png" alt="ScottFella_0-1740356346380.png" /></span></P> <P>&nbsp;</P> Mon, 24 Feb 2025 00:21:59 GMT https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264069#M595166 Scott Fella 2025-02-24T00:21:59Z https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264096#M595168 <P>In openssl you can create whatever you like, but a public CA should not have the ability to create a certificate that represents an internal domain which has its own PKI, and for which the internal PKI should be issuing certs.</P> <P>&nbsp; &nbsp;<BR />When you import a cert into ISE, it doesn't check the SAN to see if what you put there is sane.&nbsp; Although, I think for guest portals, newer ISE versions try to be clever and reconcile the portal FQDN with one or more SAN entries - but it can't be sure whether any of this is valid and mostly gets it wrong (stating that a valid cert for a valid portal is 'Stale')<BR /><BR />A trustworthy CA can/should only issue certs for a domain for which it has obtained proof that the CSR requester owns the public domain (e.g. public DNS TXT record).&nbsp; If an organization is putting its internal domains on the internet to allow CAs to validate it, then that sounds like a terrible idea to me.</P> <P><SPAN>I can create a cert in my home lab with a SAN: </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="http://www.google.com" target="_blank">www.google.com</A><SPAN>&nbsp; &nbsp;- but it doesn't mean I can make your browser trust that, even if I could poison the DNS and send you to my rogue server, running that cert for that domain.</SPAN></P> Mon, 24 Feb 2025 04:25:36 GMT https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264096#M595168 Arne Bier 2025-02-24T04:25:36Z https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264099#M595170 <P>You are right, I took the OP as stating that their internal cert provided a cert with the internal domain and another domain but not a public domain.&nbsp;</P> Mon, 24 Feb 2025 04:53:21 GMT https://community.cisco.com/t5/network-access-control/ise-node-fqdn-domain-different-from-certificate-cn-and-sans/m-p/5264099#M595170 Scott Fella 2025-02-24T04:53:21Z