cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

296
Views
3
Helpful
6
Replies
Beginner

How To: Implement ISE Server-Side Certificates document

Hi Forum,

In this document (page 14) where u use the same cert on all PSN's.... I'm planning to use the same cert on all PSN's only for EAP authentication. CN in the cert will be something like aaa.company.localdomain

my questions:

Don't the hostname of every PSN has to be aaa.company.localdomain ??otherwise the hostname won't match the CN and client supplicant would reject the cert??

let me know.

thanks,

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: How To: Implement ISE Server-Side Certificates document

I think I caused a confusion.

Sponsors and portal are our of picture. This is purely for EAP auth.

If the CN is aaa.company.localdomain

and no SAN's (as far as I know SAN is not evaluated in a RADIUS transaction)

should it matter what the hostname of my PSNs is? as long as the root CA is trusted?!

6 REPLIES 6
Cisco Employee

Re: How To: Implement ISE Server-Side Certificates document

Check this out

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

Highlighted
Beginner

Re: How To: Implement ISE Server-Side Certificates document

are you trying to point wild card certs?

Windows machines don't support RADIUS auth to a wild card cert!

Cisco Employee

Re: How To: Implement ISE Server-Side Certificates document

Yes, Actually they do, a wildcard in the SAN, it’s shown on the admin guide page

Otherwise you would need to have one cert with the following

Each host will resolve to the SAN name

CN aaa.domain.local

San aaa.domain.local

Then every host psn name

Psn1.domain.com<http://Psn1.domain.com>

PSN2.

Psn3

Sponsor.domain.com<http://Sponsor.domain.com>

Mydevices.domain.com<http://Mydevices.domain.com>

Etc

This works ok if your hosts are static but if you wanted to add more psn or other services later then you would need to purchase another cert

Beginner

Re: How To: Implement ISE Server-Side Certificates document

I think I caused a confusion.

Sponsors and portal are our of picture. This is purely for EAP auth.

If the CN is aaa.company.localdomain

and no SAN's (as far as I know SAN is not evaluated in a RADIUS transaction)

should it matter what the hostname of my PSNs is? as long as the root CA is trusted?!

Cisco Employee

Re: How To: Implement ISE Server-Side Certificates document

You are correct on this.

Collaborator

Re: How To: Implement ISE Server-Side Certificates document

As long as the root, the signing ca cert, is trusted by your Windows supplicant, the CN field of your PEAP cert doesn’t matter. I named my as “psn.xxx.xxx.org”, works fine for all my PSN nodes that share the cert. (note: obviously my PSN nodes have their unique FQDN)