cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

359
Views
20
Helpful
4
Replies
Beginner

3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

I'm looking for a best practice process for replacing an expiring 3rd party certificate used for Admin/EAP. I inherited a six node deployment and each node has the same Certificate for both roles imported, do all nodes need to have the same Cert for both roles? It seems like the Admin/MnT nodes would only need to have an Admin Cert and the PSN's need both or one?

 

Also is this still the process: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html  

 

If only one Certificate is used and imported on each node to replace the existing one, is there a document that shows that replacement process or is the install document the best available?

 

Thank you!!

4 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advocate

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access.  For what it's worth I'll give you my experience and I would like to hear from other's too.

You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert.  Install only where needed.  BUT - and here is my personal take on this.   EVERY node needs a cert of EVERY role, whether it's used or not.  ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert.  This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs).  Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.

 

As for renewal.  EAP is easy.  You click on the install cert, select the node and go!  Nothing bad happens (no application restarts).

Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime.  I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again.  This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.

As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes.  But I don't know/think it makes too much difference.  But keen to know from others.

pan Cisco Employee
Cisco Employee

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html

 

Images are missing in the doc but you should be able to understand.

Enthusiast

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:

  • ISE Certificates Best Practices
    • Ensure that all certificate CN names can be resolved by DNS
    • Use lower case for appliance hostname, DNS name, certificate CN
    • ISE cert CSR: Use format "CN=<FQDN>" for subject name
    • Ensure time is synced: use NTP with UTC for all nodes
    • Signed by Trusted CD - required for each node
      • For external users/guests, certs should be signed by 3rd-party CA
    • Install entire certificate chains as individual certs into ISE trust store
    • Use PEN, not DER encoding for import/export operations
  • ISE certificates best practices include such recommendations as:
    • Correct synced by NTP time on all nodes.
    • All certificates for external users/guests must be signed by trusted CA
    • PEM encoding is preferable over DER encoding.
    • When running the ISE Setup wizard, use lowercase for hostname.
      • Do not use self-signed certificates in production networks (I break this rule)
    • Certificates are used for all portal communication and EAP
      • Using a certificate that is already trusted by most clients is a major benefit, especially for guests or visitors not part of corporate PKI
Rising star

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Hi, good info.

You have a small typo: it's PEM not PEN.

Maybe it's worth mentioning that ISE supports multi-SAN certificates as well as wildcard. It can make life easier if you don't mind the security risk.
4 REPLIES 4
VIP Advocate

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

I have seen this question a few times and it would be nice to have a clear and concise document on CCO for easy access.  For what it's worth I'll give you my experience and I would like to hear from other's too.

You're right - the EAP cert is only needed on those nodes (PSN's) that are used for 802.1X - you may have some PSN's that are doing TACACS only - in that case of course you don't need the EAP cert.  Install only where needed.  BUT - and here is my personal take on this.   EVERY node needs a cert of EVERY role, whether it's used or not.  ISE does not let you build a node that doesn't have a cert of each kind, albeit a self-signed cert.  This means that EAP certs will always expire - and sure, you can leave an expired EAP cert on an Admin node and nothing bad will happen (except alarms and constant syslogs).  Therefore I usually create 10 year self-signed certs for those nodes that don't need the cert, but also to avoid the cert expiration issue.

 

As for renewal.  EAP is easy.  You click on the install cert, select the node and go!  Nothing bad happens (no application restarts).

Admin certs are more intrusive - and when you install a new admin cert on a node, it will restart processes and cause downtime.  I would imagine that this new cert has to have a CA trust relationship to the PAN CA chain, so that when the node restarts, it builds TLS connection to the PAN again.  This is easily done if the ISE Admin cert comes from a public CA or your PKI, where the Root CA cert is installed on all nodes.

As for the order in which to replace certs ... I would start with PSN's, waiting for the restarts to complete of course. And then move to Standby MnT, STandby PAN, and then finally the primary nodes.  But I don't know/think it makes too much difference.  But keen to know from others.

pan Cisco Employee
Cisco Employee

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Arne have covered most of the things. You can use following doc which have all info you need the procedure is same for ise 2.x version.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-software/200295-Install-a-3rd-party-CA-certificate-in-IS.html

 

Images are missing in the doc but you should be able to understand.

Enthusiast

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info:

  • ISE Certificates Best Practices
    • Ensure that all certificate CN names can be resolved by DNS
    • Use lower case for appliance hostname, DNS name, certificate CN
    • ISE cert CSR: Use format "CN=<FQDN>" for subject name
    • Ensure time is synced: use NTP with UTC for all nodes
    • Signed by Trusted CD - required for each node
      • For external users/guests, certs should be signed by 3rd-party CA
    • Install entire certificate chains as individual certs into ISE trust store
    • Use PEN, not DER encoding for import/export operations
  • ISE certificates best practices include such recommendations as:
    • Correct synced by NTP time on all nodes.
    • All certificates for external users/guests must be signed by trusted CA
    • PEM encoding is preferable over DER encoding.
    • When running the ISE Setup wizard, use lowercase for hostname.
      • Do not use self-signed certificates in production networks (I break this rule)
    • Certificates are used for all portal communication and EAP
      • Using a certificate that is already trusted by most clients is a major benefit, especially for guests or visitors not part of corporate PKI
Rising star

Re: 3rd Party Certificate replacement for Admin/EAP Authentication - looking for best practices

Hi, good info.

You have a small typo: it's PEM not PEN.

Maybe it's worth mentioning that ISE supports multi-SAN certificates as well as wildcard. It can make life easier if you don't mind the security risk.