cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1685
Views
0
Helpful
13
Replies

ISE ERS seems to map to the Admin Certificate, can this be changed?

riwakefi
Level 1
Level 1

So the ISE Admin cert seems to map to port 80, 443, and 9060 for the ERS services. The portals are customizable (port and certificate group).

 

Question: 

Is there a way for the ERS/9060 to be mapped to a certificate other than the Admin certificate? 

2 Accepted Solutions

Accepted Solutions

I don’t understand. Replacing the cert used for the admin node will only affect those connecting to it for administration purposes. It won’t affect those connecting to policy services using EAP for example

Will the traction system work with a well known cert?

View solution in original post

13 Replies 13

paul
Level 10
Level 10

I don't believe there is a way to change the ERS port to use anything other than the admin cert.  Why would the cert matter for your ERS applications?  Presumably you are writing the applications and can accept whatever cert ISE uses.

The situation is: This is an off the shelf application (TractionGuest) that, according to the manufacturer, cannot accept the import of additional Root/Intermediate CAs.

 

The proposed solution is to stand up a new ISE node, sync it with the current deployment, then make it Primary Admin and build it using more a friendly name and cert to accommodate this one application. Doing that is preferred over changing ISE names and certs on the existing nodes, which will impact the current user base. 

 

I wanted to be sure there was no super secret way of using something other than the Admin cert for ERS. Thanks for the confirmation. 

I don’t understand. Replacing the cert used for the admin node will only affect those connecting to it for administration purposes. It won’t affect those connecting to policy services using EAP for example

Will the traction system work with a well known cert?

Admin cert has to match the ISE name.

EAP cert has to match the ISE name.

Currenty, ISE is called  XYZ.customername.local, with a cert from a local CA. 

 

To get a 3rd party cert for Admin, the ISE name would have to change to XYZ.customername.comThird parties don't issue *.local certs, for obvious reasons. If I change the ISE name to XYZ.customername.com, I also have to change the EAP cert to include XYZ.customername.com. If I push a new EAP cert out, that impacts the clients. 

EAP cert in no way has to match the ISE hostnames. The only cert that has to match the ISE hostname is the Admin cert. Keep the EAP cert as is and get a new public cert for Admin. Honestly, I would be suspect of TractionGuest. Not being able to import intermediate CA/Root CAs or turn off SSL cert validation is programming 101 when dealing with SSL applications.




I disagree. If the EAP cert doesn't match the ISE name the EAP client will reject it, I've reproduced this in a lab many times. Right now the customer uses 2 all one one nodes, both A and P nodes combined. So, it's easy enough to build a separate stand alone A node and the EAP cert wouldn't even be used. 

 

But I do agree, this application is suspect, but I have no say in the customer using it.

That is not true on the EAP cert at all.  That is a misconfiguration on the client's server validtion.  I have a 18 node deployment with 10 RADIUS PSNs and the EAP cert is radius.mycompany.com.  Works perfectly fine.  

What are your ISE names? I'll give it a try in a lab, I've tried this in the past and not had any luck with it, but it's been a while... 

isepsn01.mycompany.com

isepsn02.mycompany.com

....

isepsn10.mycompany.com



I have my windows supplicant configured to validate server certificate, only trust the internal CA and connect to radius.mycompany.com.


That could be part of the issue though, is your domains at least match.

 

radius.mycompany.com

with 

ise1.mycompany.com

ise2.mccompany.com

etc.

 

My case is different, in that my cert would need to be:

radius.mycompany.com

with ISE names

ise1.mycompany.local

ise2.mycompany.local

 

But it's certainly worth trying it again in a lab.

 

Thanks for the heads up. 

 

 

 

Let me know how your testing goes. I have all sorts of clients, many GPO controlled and many not, connecting to SSIDs doing 802.1x against this generic certificate.



This is an older whitepaper that Thomas put together:



https://community.cisco.com/t5/security-documents/how-to-implement-ise-server-side-certificates/ta-p/3630897



Here is an excerpt from it:



"EAP Identity:An ISE node has to identify itself to the EAP (dot1x) clients that are connecting to the network. This is securing the layer-2 EAP communication, and therefore the name of the identity does not have to be DNS resolvable, and does not have to match the name of the ISE node itself. The identity that must be protected could be the FQDN of the ISE node itself, oranother value such as "aaa.security.demo.net" or "psn.ise.security.demo.net"




Thanks, I'll give it a try. Appreciate the assistance. 

 

I will follow up with 2 comments though, while I've got my soapbox handy:

1) Kind of scary if there are no host checks at all with 802.1X... That means a hacker that can nab any private key for any trusted 3rd party cert (and the cert) for a given company can stand up a rouge AP and Radius with that cert. If the WiFi client machine's WiFi profile isn't locked down to the 1 and only 1 Trusted CA it SHOULD be trusting (and an internal one...), Clients won't have any CRL or hostname or anything to check to make sure the presenter of that cert matches the cert, just that the cert itself legit, and can try to join and start sending creds--PEAP hashes or worse EAP-GTC clear text passwords... Yes, Private Keys should be guarded with our lives, but we know they often aren't... 

2) Would still be nice to be able to select the ERS cert. It runs a different port, so it would be nice to be able to re-map it, like we can do with portals groups mapped to different ports. 

 

I liked it better when I knew I couldn't get the name mismatch to work, you burst my safe-space bubble.  ;)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: