topic Re: certificate issue while integrating FTD with ISE in Network Security

certificate issue while integrating FTD with ISE

ciscoworlds — Fri, 21 Feb 2020 15:20:10 GMT

Hi.

I want to integrate FTD 6.2.2 with ISE 2.2 using PxGrid. To do the certification part, I have configured a Win 2008 R2 as my internal CA with just these roles installed.

This windows machine is member of my internal lab domain. While I enter "http://ipaddress/certsrv"on a client machine (which isn't a member of that domain) and follow "Request a Certificate" and then click on "Advanced Certificate Request", the following page appears, but as you can see there is no option to select Certificate Template.

Documents say that I need to request a certificate which uses "Web Server" certificate template. What did I miss?

Re: certificate issue while integrating FTD with ISE

Rob Ingram — Mon, 12 Feb 2018 13:12:55 GMT

Hi, It's strange that you don't have the dropdown box for the certificates, are you logged in as an administrator with full rights to request cert? Also the "Web Server" certificate you mentioned is not good enough, you'd have to create a new template an ensure the EKU of Server and Client authentication.

Alternatively you could use the internal ISE CA to sign the pxGrid certificates https://communities.cisco.com/docs/DOC-71928

Re: certificate issue while integrating FTD with ISE

ciscoworlds — Tue, 13 Feb 2018 06:37:21 GMT

The PC that I use to request the certificate is not a member of the domain but CA server is. I don't understand in which part I need to provide admin privilege. I even entered http://localhost/Certsrv on the CA server too but there was no option for Template again.

Re: certificate issue while integrating FTD with ISE

ciscoworlds — Sun, 25 Feb 2018 01:22:14 GMT

Any suggestion guys? isn't there anybody who has successfully integrated ISE with FTD?

Re: certificate issue while integrating FTD with ISE

Marvin Rhoads — Sun, 25 Feb 2018 05:46:44 GMT

I have it setup in my lab with a Windows Server 2016 AD DC providing certificate services. I have ISE, FMC, FTD, ESA, WSA, vWLC etc. all running with certificates issued by my DC.

It's odd to not see the option to select the certificate template on your certsrv page. You should have the option to select a Web server certificate.

Below are some screenshots from my setup.

Template management on the CA (Windows Server 2016)Template dropdown from the CA's web UIAppliances with CA-issued certificates

Re: certificate issue while integrating FTD with ISE

ciscoworlds — Sun, 25 Feb 2018 12:17:43 GMT

Hi. I completely removed all of the roles installed on CA server and disconnect it from the domain. Then reinstall the roles from the scratch & rejoin to domain. Now the option is shown there. I don't know what was the problem with Windows, but I'm tired of these stupid unknown Windows issues. Thanks for your replies.