Solved: Public Wildcard certificate for entire ISE installation ?

tuenoerg · ‎02-25-2016

Hi all,

We are planning a entirely new ISE 2.0 installation and I´m looking into certificate options for the deployment.

The customer needs employee devices authenticated with eap-tls - and they have a running Microsoft PKI infrastructure they would like to reuse. The have certificates deployed to all corporate devices - with certs from their internal PKI infrastructure - deployed through GPO.

Besides that - they would like to use guest services - both wired and wireless and to some extend BYOD.

I have been looking at :

BRKSEC-3699 - Advanced - Designing ISE for Scale & High Availability (2016 Berlin) and

BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan)

But - I still need to have a best practise conclusion ..

I would appreciate any input on the solutions below :

A:

Use internal CA to deploy certificates on ISE nodes (both adm, mnt and psn) with DNS names in local DNS zone (company.local)

Use a wildcard cert signed by a public CA for guest and sponsor portals (DNS name in public DNS zone - eg. company.com)

If I understand it right - we should make sure all PSN nodes names (or a wildcard prefix) is in the SAN part of the certificate on all ISE nodes. Is that right ?

B:

Use a wildcard cert signed by a public CA for all nodes and guess/sponsor services - with DNS in local DNS zone (company.local)

Any other model that fit better or input on above solutions will be of great value to me/us.

Best regards

Tue Noergaard

Consulting Systems Engineer

Cisco

hslai · ‎02-25-2016

Please take a look of this how-to guide — HowTo: Implement Cisco ISE and Server Side Certificates

Both your A and B have a bit of problems.

In A, ISE internal CA does not issue certificates for ISE nodes, at least not in the current shipping ISE releases. Are you referring to the self-signed certificates, then? Usually, our customers have internal PKI (e.g. Microsoft CA services) to sign certificates for internal web servers.

In B, CA/Browser Forum's Guidance on Internal Names says public CAs might not sign certificates with .local domains. Thus, we need a regular top-level domain for the end-user facing portals, such as guests or sponsors.

View solution in original post

hslai · ‎02-25-2016

Please take a look of this how-to guide — HowTo: Implement Cisco ISE and Server Side Certificates

Both your A and B have a bit of problems.

In A, ISE internal CA does not issue certificates for ISE nodes, at least not in the current shipping ISE releases. Are you referring to the self-signed certificates, then? Usually, our customers have internal PKI (e.g. Microsoft CA services) to sign certificates for internal web servers.

In B, CA/Browser Forum's Guidance on Internal Names says public CAs might not sign certificates with .local domains. Thus, we need a regular top-level domain for the end-user facing portals, such as guests or sponsors.

tuenoerg · ‎02-25-2016

Hi

Just to elaborate :

Solution A would be using their internal Microsoft PKI for the ISE certificates and not self signed certs.

Would that complete the A solution ?

Solution B could be adjusted to :

Use a wildcard cert signed by a public CA for all nodes and guess/sponsor services - with DNS in external DNS zone (company.com)

The customer has the external ZONE accessible from inside and outside.

Any comments ?

Best regards

Tue

hslai · ‎02-26-2016

After your adjustments, A and B are looking the same to me. Am I missing anything?

If the deployment uses ISE client provisioning, posture, or BYOD on-boarding, please note that TCP 8905 is using the admin certificates. That should not be a problem on corporate owned devices, which most likely have the root certificate of internal Microsoft PKI installed and trusted.