cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

215
Views
0
Helpful
2
Replies
Beginner

ISE 2.4 BYOD certificate backup / restore

I'm finding it hard to understand the correct process of backup and restore for ISE with regards to BYOD and certificates.

 

I have a two node deployment with Primary PAN and Secondary PAN. BYOD is working and we have 300 registered devices with issued device certificates. The ISE is using the internal BYOD certificate authority server. The ISE admin/eap certificate is self-signed on each node and the BYOD portal certificate is a public certificate on each node.

 

I have backed up the config from Primary PAN. I have also manually exported with keys all the system certificates from each node. Now according to the documentation it states I should use the "application configure ise" command and export the internal CA store to a repository - which I have done.

 

However what i'm confused about is what the next steps are. Some documentation states I should use the "application configure ise" to import the CA store into the Secondary PAN in order for it to issue and manage certificates for endpoints when the PAN is down and you promote the Secondary Administration Node to be the PAN "After you register the Secondary Administration Node, you must export the CA certificates and keys from the PAN and import them in to the Secondary Administration Node." admin guide 

 

Other documentation says you only import after a disaster recovery. Some documentation states you should regenerate Root CA after rebuild but wouldn't that affect the 300 clients forcing a re-enrolment?

 

Has anyone every restored from PAN failure when using BYOD and if so what is the correct process?

 

 

 

Everyone's tags (3)
2 REPLIES 2
Highlighted
Cisco Employee

Re: ISE 2.4 BYOD certificate backup / restore

admin Guide says- 

You must export the CA certificates and keys from the PAN to import them on the Secondary Administration Node. This option enables the Secondary Administration Node to issue and manage certificates for endpoints when the PAN is down and you promote the Secondary Administration Node to be the PAN.

 

This is needed only in case you have to promote your secondary node to Primary in case there is failure with Primary PAN.

Configuration backup does not backup certificates and hence, manually using application configure ISE options to export and import has to be used. 

more details can be found here- https://community.cisco.com/t5/security-documents/upgrading-to-identity-services-engine-2-1-in-a-distributed/ta-p/3655783#toc-hId-59122548

Thanks,

Nidhi

Beginner

Re: ISE 2.4 BYOD certificate backup / restore

Hi, yes that's what the guide says. However if I run the command on the secondary PAN it says "certificates being imported do not match this devices hostname". So I cancelled it. Is this a standard warning and should I ignore it?