topic ISE Identity Certificate. in Network Access Control

ISE Identity Certificate.

graham.harper — Thu, 10 Mar 2022 07:14:58 GMT

Hi there,

Does anyone have any experience with Publicly signed ID certificates for ISE.

We are going to be deploying Guest Services via CWA. When a user connects to the portal they get a certificate error as the current ID certificates are only signed by our internal CA and nobody but internal users will have that CA installed.

I went to an external provider (Geotrust) and wanted to get a Public CA signed Certificate with the CN = guestportal.company.com and SAN fields of internalserver.company.local.lcl, Private IP of BOX and External IP of Box. I get this Error from Geotrust.

Certificates that expire after November 1st, 2015 may not contain an internal server IP address or server name. Please modify SAN entry to continue.

Researching further into this it seems that all Certificates being issued by Public CA’s need to abide by the following new rules.

“What is an Internal Name?

An internal name is a domain or IP address that is part of a private network. Common examples of internal names are:

Any server name with a non-public domain name suffix. For example, www.contoso.local or server1.contoso.internal.

NetBIOS names or short hostnames, anything without a public domain. For example, Web1, ExchCAS1, or Frodo.

Any IPv4 address in the RFC 1918 range.

Any IPv6 address in the RFC 4193 range.”

Has anyone got around this? Or will the guests just have to put up with the Certificate error? Also I'll have to change the PSN's hostname to the CN which has implications for it joining our internal active directory so not keen on that.

I've ready that LDAP might be my only solution which I am not really keen on see below.

https://supportforums.cisco.com/docs/DOC-37562

Re: ISE Identity Certificate.

Stephen McBride — Thu, 13 Feb 2014 22:16:02 GMT

This requirement by public providers is a pain but a reality I suppose. In terms of your concerns I have deployed this many times without drama (ISE 1.2)

Internal name refers to a private domain name eg internaldomain.local whereas public is your publicdomain.com.au

Joining AD - Never had a problem with the PSN been on a "different" domain ie public FQDN vs internal FQDN. Just join the box to AD as you would normally. For intents and purposes the FQDN of the policy node is pretty much portal related. If there is an internal standards issue then you could always use the host alias functionality on another NIC so you can leave the primary hostname of the PSN alone and make a specific interface serve up a portal on a host-alias:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_e_man_cert.html#wp1183032

The biggest issue I encounter with all of this is my clients having to resolve an "internal" host to a public FQDN. The issue is not technical generally but people generally seem to hate the idea of an internal ip inside the network resolving to a public name (I might add it does not need to resolve externally).

In summary the solution will work.

ISE Identity Certificate.

graham.harper — Fri, 14 Feb 2014 08:14:24 GMT

Stephen, Thanks for that insight. Gives me another avenue to try. Appreciate it.

Re: ISE Identity Certificate.

switched switch — Fri, 14 Feb 2014 21:47:04 GMT

I've changed my deployment to company.com instead of company.local now because of this. We have split DNS setup and haven't encountered a problem as yet although my lab is not in production as yet.

Sent from Cisco Technical Support iPad App

ISE Identity Certificate.

Muhammad Munir — Tue, 18 Feb 2014 12:17:44 GMT

Hi graham,

FYI, please check these possible conditions, due to these condition this issue can occur:

Check if the Active Directory configuration in the Admin portal is correct.

The supplicant or client machine is not accepting the certificate from Cisco ISE.

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

The client machine must accept the Cisco ISE certificate to enable authentication.

This issue can apply to any expired certificates on Cisco ISE.

Your Cisco ISE certificate is about to expire or has expired.

ISE Identity Certificate.

jj27 — Tue, 18 Feb 2014 15:47:06 GMT

I've already started rolling this out in deployments. Here's what I have been doing:

Deploy ISE nodes with the external domain - company.com.
Setup split DNS internally to resolve psn.company.com and ise.company.com to the internal IP addresses.
Purchase a wildcard certificate for *.company.com and apply to ISE nodes for HTTPS only.
Use an internal CA signed certificate for EAP authentications still so your domain computers don't freak out about not having a trusted certificate (by default, Microsoft does not support 3rd party certificates for EAP authentications, but you can import them into the NTAuth store)

With that solution, clients accessing the HTTPS portals for guest authentication, sponsor portal, or CWA do not receive a certificate warning and your internal domain computers to not receive a certificate warning for PEAP or EAP-TLS authentications.

ISE Identity Certificate.

blenka — Thu, 20 Feb 2014 13:09:15 GMT

1. OCSP but sending ISE certificate to identity ISE via HTTPS.

2. LDAP but sending a user/pass to identify ISE. Can we add a user/pass on the LDAP URL?

As far as we know none of the above is currently supported in ISE, is this something that we are working on for future ISE releases?

I have run into he same

danhosking — Thu, 15 May 2014 01:32:35 GMT

I have run into he same situation with public CAs. I need two separate certs, a public https one and an internal EAP one, each on a different domain. Is this possible? if so how do you generate the certs for two different domains? The public one is straight ford as it will have the correct domain on configure on the ISE node. However for the EAP cert how will an internal PKI react to a CSR generated by a box on a different domain?

Recently I had a conversation with the TAC engineer. And the outcome seemed positive. The outcome from that conversation was the following:

- Https wild card certificate from Public issuer with example.org.au
- CLI change on ISE nodes to change their domain to org.au
- The company DNS must be able to resolve the ISE FQDN node names with example.org.au. For example - ISE01.example.org.au.
- The EAP certificate can be issued from the legacy Corporate PKI with a domain of example.local

However in a response to the same question the account team have said:

In response to checking if ISE can deployed with multiple domain certificates such as for http management on example.org and EAP on example.internal.org

The reason why this is not possible is because for installing a certificate in ISE you need to pass few conditions -

"Cisco ISE checks for a matching subject name as follows:

1.Cisco ISE looks at the subject alternative name (SAN) extension of the certificate. If the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node. If a wildcard certificate is used, then the wildcard domain name must match the domain in the Cisco ISE node’s FQDN.

2.If there are no DNS names in the SAN, or if the SAN is missing entirely, then the Common Name (CN) in the Subject field of the certificate or the wildcard domain in the Subject field of the certificate must match the FQDN of the node.

3.If no match is found, the certificate is rejected."

It sounds like you are trying

Stephen McBride — Thu, 15 May 2014 01:50:41 GMT

It sounds like you are trying to put two certs on the one box is that correct? 1 for HTTPs and one for EAP? If so I don't think you need too. Basically the server certificate can be used for both HTTPS (management portals etc) and for EAP. When the tick box for EAP is ticked you have to realise this isn't been used for the AAA component but to secure the tunnel for the AAA stuff. In terms of authenticating the actual user certificates you basically need to have the issuing roots and subs in the cert store with trust for EAP enabled.

Correct two certs. The reason

danhosking — Thu, 15 May 2014 02:26:13 GMT

Correct two certs. The reason is the public CA's won't sign a wildcard .local cert anymore. Our client has a .local internal domain for users, AD etc. so I need a eap cert for .local generated from their PKI and separate public signed cert example.org domain for http cert.

If this combination is not possible I will use a cert with lots of SAN entries as the public CA's will still do these.

Is this a distributed

Stephen McBride — Thu, 15 May 2014 02:33:43 GMT

Is this a distributed deployment? In all my deployments I am using either a wildcard/SAN public certificate for my PSNs and using internal PKI for the admin and monitoring. Bascially the PSNs have a public domain name and the admin and monitoring have an internal domain name.

Bascially what I am getting at is there is no requirement for an internal server certificate on the PSN to support EAP connections from an internal domain - the public server cert will do the job just fine - all you have to do is make sure the issuing servers are selected if you are validating the server certificate on the clinet machine. The server certificate itself is utilised to create a tunnel and does not impact the ability of a client to authenticate.

If I am not understanding your concern my apologies.

Re: ISE Identity Certificate.

Brickbr — Wed, 02 Jan 2019 05:34:41 GMT

For step #4 - What do you use for the CN and SAN fields when generating the CSR?

Re: ISE Identity Certificate.

Damien Miller — Wed, 02 Jan 2019 05:59:55 GMT

I don't feel that the warning in step 4 is accurate, I almost exclusively use a third party issued cert for EAP in customer ISE deployments. They have the root CA/Intermediate chain pushed to the machines. The only time I have had an issue with this is when I tried *.domain.com as the CN, we now know many microsoft workstations do not like wildcard CN's.

For the CN you can use anything you want so long as it also appears in the SAN field. For most deployments this is usually the hostname of the primary admin node, but that is by no means a requirement. For example, you can have a cert like this (ise.mydomain.com doest exist);

CN=ise.mydomain.com
SAN=ise.mydomain.com
SAN=node1.mydomain.com
SAN=node2.mydomain.com
SAN=guestportal.mydomain.com

If you wish to use a wildcard cert for a deployment then it should look like this. I have used a sub domain in this example since most companies do not want to wildcard their entire domain.

CN=ise.mydomain.com
SAN=*.sub.mydomain.com
SAN=guest.mydomain.com

In either case, you need to account for all the nodes in the dpeloyment, either by entering each hostname in the SAN fields, or using a wildcard.

Re: ISE Identity Certificate.

Brickbr — Wed, 02 Jan 2019 14:11:18 GMT

I am more so thinking of a case where the ISE deployment was deployed with a public domain (ex: mydomain.com), but the customer wants to use their internal CA for EAP. So i would be requesting EAP certificates with a CN of PSN1.mydomain.com but on a CA in the domain.local domain.

Re: ISE Identity Certificate.

NETAD — Mon, 13 Jan 2020 14:44:42 GMT

Hi Damien, is it ok to use ISE private IP in the SAN and if so which public CA can do this for us?

Re: ISE Identity Certificate.

Damien Miller — Mon, 13 Jan 2020 15:34:21 GMT

It is technically possible to add IP addresses to the SAN field, however no reputable public CA will sign a cert with a private IP in the SANs. If you owned a public IP, then they might sign the csr assuming you can prove ownership.

Re: ISE Identity Certificate.

grabonlee — Wed, 22 Jul 2020 17:51:40 GMT

@Damien Miller

CN=ise.mydomain.com
SAN=ise.mydomain.com
SAN=node1.mydomain.com
SAN=node2.mydomain.com
SAN=guestportal.mydomain.com

Based on the example you gave above, can the CN=ise.mydomain.com be a DNS Alias for PSN1 and PSN2 instead of an A record? Does it even need to exist in DNS?

Thanks

Re: ISE Identity Certificate.

Damien Miller — Wed, 22 Jul 2020 23:35:19 GMT

The CN, in this example ise.domain.com, can exist in DNS or not. It's flexible and up to you, it can be a real node, it can just be an alias, it could be a guest portal, the option is yours there.

In most cases I have seen, the CN doesn't have a DNS record anymore because it is just an old legacy fqdn from a radius servers in the past. Nothing stopping a person from defining it though.

Re: ISE Identity Certificate.

grabonlee — Thu, 23 Jul 2020 02:55:20 GMT

Thanks for responding, given that the post is old. Based on what you said, I guess that the CN would be relevant if a public cert with no SAN is used, which I’ve mostly seen used for guest portal, but for private domain, a DNS for a “generic” CN isn’t relevant.

Re: ISE Identity Certificate.

Damien Miller — Thu, 23 Jul 2020 03:10:43 GMT

Either or, you could structure a both public ca cert or internal pki cert the same way, really up to how one want's to use it within the deployment.