cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

97
Views
0
Helpful
2
Replies

Cisco ISE and certificates - design questions

Hello,
I am going to deploy a new ISE distributed setup (node1 - PAN(A)/MNT(S), node2 - PAN(S)/MNT(A), 2x PSN (node3/4)). All the personnas running on SNS-3615. The customer decided to buy all the required licenses - Base,Plus,Apex. I am going to configure 802.1x for wired/wireless (EAP-TLS), guest+byod (2 SSIDs flow) + posture (Anyconnect).
According to the config guide and my knowledge ISE is going to accept/install the certificate only if it contains its own hostname in CN/SAN. For guest/byod portals I need a public certificate for ISE so that the end user would not get cert warning in their browsers. This mean that ISE hostname+domain name need to be public (ie company.com and NOT company.local (MS AD domain suffix)) - option 1.
Another option (option 2) is to use MS AD domain name for ISE (company.local - Gig0) + use Gig1 with ip host alias (company.com) - guest/byod portal on Gig1. Is that right?

I also came across information that certificates for Admin portal + EAP cert needs to be public so that BYOD would work without any errors for Apple devices (cert requests/downloads run on port 8905 and use Admin portal cert, EAP cert needs to be public to avoid "profile installation failed" error message in case of Apple).
Is my understanding (all of the above) correct? To sum up:
Admin - public cert
EAP - public cert
Portal (guest,byod) - public cert
EAP-TLS client certs - private certs from MS AD pki (root chain certificates installed in the ISE in the trusted cert store).
ISE PSNs having only 1 IP/using Gig0 only.
Another question is related to portal redundancy (running on PSNs). To get that I need to use:
- 2 authz profiles with static redirection to guest1.company.com and guest2.company.com and 2 Authz policies using them (Network Access:ISE Host Name EQUALS node3 -> guest1, Network Access:ISE Host Name EQUALS node4 -> guest2)
- DNS round-robin for sponsor/mydevices portal
Is that right? Am I missing something?

 

2 REPLIES 2
Highlighted
VIP Advocate

Re: Cisco ISE and certificates - design questions


@Maciej Waliszko wrote:


According to the config guide and my knowledge ISE is going to accept/install the certificate only if it contains its own hostname in CN/SAN. For guest/byod portals I need a public certificate for ISE so that the end user would not get cert warning in their browsers. This mean that ISE hostname+domain name need to be public (ie company.com and NOT company.local (MS AD domain suffix)) - option 1.

>> Correct so far


Another option (option 2) is to use MS AD domain name for ISE (company.local - Gig0) + use Gig1 with ip host alias (company.com) - guest/byod portal on Gig1. Is that right?

>> As we ascertained recently, using a TLD (top level domain) of .local is no longer a good practice. You can use something else like .net for example. There is an RFC relating to the current usage of .local

You don't need Gig1 for this. Gig1 is typically only used for guest portals if you want to host the guest portals on a DMZ (another VLAN). 

 

I also came across information that certificates for Admin portal + EAP cert needs to be public so that BYOD would work without any errors for Apple devices (cert requests/downloads run on port 8905 and use Admin portal cert, EAP cert needs to be public to avoid "profile installation failed" error message in case of Apple).
Is my understanding (all of the above) correct?

>> Yes - it's a good practice - just ensure that you don't put a wildcard in the Subject Common Name, or in the SAN. Windows Supplicant doesn't like that.

 

To sum up:
Admin - public cert
EAP - public cert
Portal (guest,byod) - public cert
EAP-TLS client certs - private certs from MS AD pki (root chain certificates installed in the ISE in the trusted cert store).
ISE PSNs having only 1 IP/using Gig0 only.

>> Yes to all above


Another question is related to portal redundancy (running on PSNs). To get that I need to use:
- 2 authz profiles with static redirection to guest1.company.com and guest2.company.com and 2 Authz policies using them (Network Access:ISE Host Name EQUALS node3 -> guest1, Network Access:ISE Host Name EQUALS node4 -> guest2)

>> Yes unless you have a load balancer. But your answer is correct. Each PSN has the same programming and you have to tell the PSN to check for its own hostname, and then return the appropriate URL that sends the clients back to that PSN.


- DNS round-robin for sponsor/mydevices portal
Is that right? Am I missing something?

>> Yes - unless, you have a load balancer. That's a whole other discussion ...

 


 

Re: Cisco ISE and certificates - design questions

Arne,

Thank you for the answers.