Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
3
Helpful
6
Replies

How To: Implement ISE Server-Side Certificates document

Go to solution
ffadhilpi
Level 1
Level 1

‎10-26-2017 01:54 PM

Hi Forum,

In this document (page 14) where u use the same cert on all PSN's.... I'm planning to use the same cert on all PSN's only for EAP authentication. CN in the cert will be something like aaa.company.localdomain

my questions:

Don't the hostname of every PSN has to be aaa.company.localdomain ??otherwise the hostname won't match the CN and client supplicant would reject the cert??

let me know.

thanks,

1 Accepted Solution

Accepted Solutions

Go to solution
ffadhilpi
Level 1
Level 1
In response to Jason Kunst

‎10-26-2017 04:27 PM

I think I caused a confusion.

Sponsors and portal are our of picture. This is purely for EAP auth.

If the CN is aaa.company.localdomain

and no SAN's (as far as I know SAN is not evaluated in a RADIUS transaction)

should it matter what the hostname of my PSNs is? as long as the root CA is trusted?!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎10-26-2017 03:04 PM

Check this out

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2

0 Helpful

Go to solution
ffadhilpi
Level 1
Level 1
In response to Jason Kunst

‎10-26-2017 03:44 PM

are you trying to point wild card certs?

Windows machines don't support RADIUS auth to a wild card cert!

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ffadhilpi

‎10-26-2017 03:58 PM

Yes, Actually they do, a wildcard in the SAN, it’s shown on the admin guide page

Otherwise you would need to have one cert with the following

Each host will resolve to the SAN name

CN aaa.domain.local

San aaa.domain.local

Then every host psn name

Psn1.domain.com<http://Psn1.domain.com>

PSN2.

Psn3

Sponsor.domain.com<http://Sponsor.domain.com>

Mydevices.domain.com<http://Mydevices.domain.com>

Etc

This works ok if your hosts are static but if you wanted to add more psn or other services later then you would need to purchase another cert

0 Helpful

Go to solution
ffadhilpi
Level 1
Level 1
In response to Jason Kunst

‎10-26-2017 04:27 PM

I think I caused a confusion.

Sponsors and portal are our of picture. This is purely for EAP auth.

If the CN is aaa.company.localdomain

and no SAN's (as far as I know SAN is not evaluated in a RADIUS transaction)

should it matter what the hostname of my PSNs is? as long as the root CA is trusted?!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ffadhilpi

‎10-26-2017 06:02 PM

You are correct on this.

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to ffadhilpi

‎10-27-2017 10:53 AM

As long as the root, the signing ca cert, is trusted by your Windows supplicant, the CN field of your PEAP cert doesn’t matter. I named my as “psn.xxx.xxx.org”, works fine for all my PSN nodes that share the cert. (note: obviously my PSN nodes have their unique FQDN)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents