Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1867
Views
20
Helpful
4
Replies

3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Go to solution
mitchp75
Level 1
Level 1

‎10-31-2018 02:36 PM

I'm looking for a best practice process for replacing an expiring 3rd party certificate used for Admin/EAP. I inherited a six node deployment and each node has the same Certificate for both roles imported, do all nodes need to have the same Cert for both roles? It seems like the Admin/MnT nodes would only need to have an Admin Cert and the PSN's need both or one?

 

Also is this still the process: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html  

 

If only one Certificate is used and imported on each node to replace the existing one, is there a document that shows that replacement process or is the install document the best available?

 

Thank you!!

1 person had this problem
4 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎10-31-2018 03:07 PM

I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access.  For what it's worth I'll give you my experience and I would like to hear from other's too.

You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert.  Install only where needed.  BUT - and here is my personal take on this.   EVERY node needs a cert of EVERY role, whether it's used or not.  ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert.  This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs).  Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.

 

As for renewal.  EAP is easy.  You click on the install cert, select the node and go!  Nothing bad happens (no application restarts).

Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime.  I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again.  This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.

As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes.  But I don't know/think it makes too much difference.  But keen to know from others.

View solution in original post

Go to solution
pan
Cisco Employee
Cisco Employee

‎10-31-2018 06:28 PM

Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html

 

Images are missing in the doc but you should be able to understand.

View solution in original post

0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4

‎11-01-2018 04:26 AM

Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:

  • ISE Certificates Best Practices
    • Ensure that all certificate CN names can be resolved by DNS
    • Use lower case for appliance hostname, DNS name, certificate CN
    • ISE cert CSR: Use format "CN=<FQDN>" for subject name
    • Ensure time is synced: use NTP with UTC for all nodes
    • Signed by Trusted CD - required for each node
      • For external users/guests, certs should be signed by 3rd-party CA
    • Install entire certificate chains as individual certs into ISE trust store
    • Use PEN, not DER encoding for import/export operations
  • ISE certificates best practices include such recommendations as:
    • Correct synced by NTP time on all nodes.
    • All certificates for external users/guests must be signed by trusted CA
    • PEM encoding is preferable over DER encoding.
    • When running the ISE Setup wizard, use lowercase for hostname.
      • Do not use self-signed certificates in production networks (I break this rule)
    • Certificates are used for all portal communication and EAP
      • Using a certificate that is already trusted by most clients is a major benefit, especially for guests or visitors not part of corporate PKI

View solution in original post

Go to solution
Nadav
Level 7
Level 7
In response to anthonylofreso

‎11-02-2018 06:57 AM

Hi, good info.

You have a small typo: it's PEM not PEN.

Maybe it's worth mentioning that ISE supports multi-SAN certificates as well as wildcard. It can make life easier if you don't mind the security risk.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Arne Bier
VIP
VIP

‎10-31-2018 03:07 PM

I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access.  For what it's worth I'll give you my experience and I would like to hear from other's too.

You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert.  Install only where needed.  BUT - and here is my personal take on this.   EVERY node needs a cert of EVERY role, whether it's used or not.  ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert.  This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs).  Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.

 

As for renewal.  EAP is easy.  You click on the install cert, select the node and go!  Nothing bad happens (no application restarts).

Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime.  I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again.  This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.

As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes.  But I don't know/think it makes too much difference.  But keen to know from others.

Go to solution
pan
Cisco Employee
Cisco Employee

‎10-31-2018 06:28 PM

Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html

 

Images are missing in the doc but you should be able to understand.

0 Helpful

Go to solution
anthonylofreso
Level 4
Level 4

‎11-01-2018 04:26 AM

Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:

  • ISE Certificates Best Practices
    • Ensure that all certificate CN names can be resolved by DNS
    • Use lower case for appliance hostname, DNS name, certificate CN
    • ISE cert CSR: Use format "CN=<FQDN>" for subject name
    • Ensure time is synced: use NTP with UTC for all nodes
    • Signed by Trusted CD - required for each node
      • For external users/guests, certs should be signed by 3rd-party CA
    • Install entire certificate chains as individual certs into ISE trust store
    • Use PEN, not DER encoding for import/export operations
  • ISE certificates best practices include such recommendations as:
    • Correct synced by NTP time on all nodes.
    • All certificates for external users/guests must be signed by trusted CA
    • PEM encoding is preferable over DER encoding.
    • When running the ISE Setup wizard, use lowercase for hostname.
      • Do not use self-signed certificates in production networks (I break this rule)
    • Certificates are used for all portal communication and EAP
      • Using a certificate that is already trusted by most clients is a major benefit, especially for guests or visitors not part of corporate PKI

Go to solution
Nadav
Level 7
Level 7
In response to anthonylofreso

‎11-02-2018 06:57 AM

Hi, good info.

You have a small typo: it's PEM not PEN.

Maybe it's worth mentioning that ISE supports multi-SAN certificates as well as wildcard. It can make life easier if you don't mind the security risk.
0 Helpful
Customers Also Viewed These Support Documents