Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1811
Views
0
Helpful
3
Replies

ISE 2.4 BYOD certificate backup / restore

firestartest
Level 1
Level 1

‎01-20-2019 01:01 PM - edited ‎01-20-2019 01:12 PM

I'm finding it hard to understand the correct process of backup and restore for ISE with regards to BYOD and certificates.

 

I have a two node deployment with Primary PAN and Secondary PAN. BYOD is working and we have 300 registered devices with issued device certificates. The ISE is using the internal BYOD certificate authority server. The ISE admin/eap certificate is self-signed on each node and the BYOD portal certificate is a public certificate on each node.

 

I have backed up the config from Primary PAN. I have also manually exported with keys all the system certificates from each node. Now according to the documentation it states I should use the "application configure ise" command and export the internal CA store to a repository - which I have done.

 

However what i'm confused about is what the next steps are. Some documentation states I should use the "application configure ise" to import the CA store into the Secondary PAN in order for it to issue and manage certificates for endpoints when the PAN is down and you promote the Secondary Administration Node to be the PAN "After you register the Secondary Administration Node, you must export the CA certificates and keys from the PAN and import them in to the Secondary Administration Node." admin guide 

 

Other documentation says you only import after a disaster recovery. Some documentation states you should regenerate Root CA after rebuild but wouldn't that affect the 300 clients forcing a re-enrolment?

 

Has anyone every restored from PAN failure when using BYOD and if so what is the correct process?

 

 

 

0 Helpful
3 Replies 3

Nidhi
Cisco Employee
Cisco Employee

‎01-20-2019 10:51 PM

admin Guide says- 

You must export the CA certificates and keys from the PAN to import them on the Secondary Administration Node. This option enables the Secondary Administration Node to issue and manage certificates for endpoints when the PAN is down and you promote the Secondary Administration Node to be the PAN.

 

This is needed only in case you have to promote your secondary node to Primary in case there is failure with Primary PAN.

Configuration backup does not backup certificates and hence, manually using application configure ISE options to export and import has to be used. 

more details can be found here- https://community.cisco.com/t5/security-documents/upgrading-to-identity-services-engine-2-1-in-a-distributed/ta-p/3655783#toc-hId-59122548

Thanks,

Nidhi

0 Helpful

firestartest
Level 1
Level 1
In response to Nidhi

‎01-20-2019 11:38 PM

Hi, yes that's what the guide says. However if I run the command on the secondary PAN it says "certificates being imported do not match this devices hostname". So I cancelled it. Is this a standard warning and should I ignore it?

 

0 Helpful

r.westman
Level 1
Level 1

‎12-04-2019 06:49 AM

I have a problem importing the CA certificates on the Secondary PAN. It is just a simple two nodes deployment with default configuration.

 

Export CA certificates on PAN (P) works fine. But import the same CA certificates on the PAN(S) gives the following error message:

 

Certificates are not compliant. Try to export certificates and import again.

Operation aborted. CA keys file is not acceptable

 

Any ideas?

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents