10-31-2018 02:36 PM
I'm looking for a best practice process for replacing an expiring 3rd party certificate used for Admin/EAP. I inherited a six node deployment and each node has the same Certificate for both roles imported, do all nodes need to have the same Cert for both roles? It seems like the Admin/MnT nodes would only need to have an Admin Cert and the PSN's need both or one?
Also is this still the process: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html
If only one Certificate is used and imported on each node to replace the existing one, is there a document that shows that replacement process or is the install document the best available?
Thank you!!
Solved! Go to Solution.
10-31-2018 03:07 PM
I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access. For what it's worth I'll give you my experience and I would like to hear from other's too.
You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert. Install only where needed. BUT - and here is my personal take on this. EVERY node needs a cert of EVERY role, whether it's used or not. ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert. This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs). Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.
As for renewal. EAP is easy. You click on the install cert, select the node and go! Nothing bad happens (no application restarts).
Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime. I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again. This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.
As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes. But I don't know/think it makes too much difference. But keen to know from others.
10-31-2018 06:28 PM
Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.
Images are missing in the doc but you should be able to understand.
11-01-2018 04:26 AM
Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:
11-02-2018 06:57 AM
10-31-2018 03:07 PM
I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access. For what it's worth I'll give you my experience and I would like to hear from other's too.
You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert. Install only where needed. BUT - and here is my personal take on this. EVERY node needs a cert of EVERY role, whether it's used or not. ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert. This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs). Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.
As for renewal. EAP is easy. You click on the install cert, select the node and go! Nothing bad happens (no application restarts).
Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime. I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again. This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.
As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes. But I don't know/think it makes too much difference. But keen to know from others.
10-31-2018 06:28 PM
Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.
Images are missing in the doc but you should be able to understand.
11-01-2018 04:26 AM
Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:
11-02-2018 06:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide