Solved: Re: What certificates do I need for distributed ISE nodes?

Greg W · ‎11-08-2018

When I am configuring a distributed ISE deployment, what certificates do I need on each node? I have a PAN, secondary PAN, and 3 PSNs in my network. I have an admin cert for all of the nodes, and an EAP, DTLS, and portal cert on the Primary admin node. Do I need all of these for every node? The documentation isn't very clear on what is needed for every node. If I have a deployment with 50 PSNs, do I need to make 150 cert requests? That seems pretty crazy.

Marvin Rhoads · ‎11-09-2018

Thus far responders haven't mentioned your portals. If you are using any portals (Guest, BYOD, Self-Registration etc.) the certificate for them must be on and PSNs that will be serving the portal up. That could be one, two or all of your PSNs, depending on your deployment design.

For portals we typically use one certificate with multiple SANs. So like guest.company.com, byod.company.com etc. Many customer prefer to keep those distinct from the actual node server certificates used for administration and inter-node communications (i.e., ise-1.company.com, ise-2.company.com etc.).

The latter can be self-signed but personally that bugs me. If there's not an in-house CA already I try to get the customer to setup the role - it's relatively straightforward to do and within an hour you can setup a Windows Server CA server and start issuing legitimate certificates. Push trust of that via GPO and then all your in house domain PCs will trust them.

View solution in original post

pan · ‎11-08-2018

You can have one certificate per node or a wildcard certificate. One cert can be used for all three role admin,portal,eap

Greg W · ‎11-08-2018

So, just an admin certificate for each PSN and secondary PAN will do it all? I don't need an EAP, DTLS, etc cert for each node in the deployment?

pan · ‎11-08-2018

Each node will have a self signed certificate. Each node needs its own certificate. Certificate can have following role:

Admin

Portal

EAP

PXgrid

RADIUS DTLS

Portal role is needed for guest, byod ....

EAP is needed for dot1x

Admin is used while accessing GUI of ISE and when ISE are in deployement.

Admin certificate should be unique if you are not having wildcard certificate. EAP can be shared.

parasup · ‎05-05-2023

this reply is not helpful

Surendra · ‎11-09-2018

Trying to keep it short :

1. To join the a node in a distributed deployment, you need at least 1 certificate with Admin usage assigned to it.
2. If the node you are joining is intended for RADIUS authentications or Portal Service (Guest/BYOD/Posture) or pxGrid, then you ca assign those specific usages to a single certificate (you can use the same one that you used for admin as well) or you can assign those usages to different certificates by installing them first.

Having said that, Each feature has a specific requirement for a certificate and you can use the certificate if only that requirement is met.

For example, Admin certificate needs to have the complete FQDN of the node as CN or SAN field (adding IP address as well in the SAN is usually recommended.) . pxGrid requires the certificate to have "Client Authentication" as well in the Enhanced Key usage etc.

At the end of the day, each of the ISE nodes is separate server and it needs its own set of certificates to use when requested by a feature.

parasup · ‎05-05-2023

better than the first answer.

Nadav · ‎11-09-2018

Hi,

The certs you need to manage are entirely a matter of the functionality you demand of your deployment. Here are some examples:

1) Secure syslogs remote targets: When you configure to validate certificates (under logging targets), it requires that the trust chain public certs are located in the Trusted Certificates and each node must have an Admin role cert which is issued by this trust chain. If you choose to ignore validation, this isn't a problem. You will need to check mark that you are willing to use the Trusted Certs for authenticating syslogs.

2) EAP-TLS. Again, you need to have an up to date Trusted Certificates store, and you need to enable the trusted certs for EAP client authentication. When a supplicant will challenge your PSN's EAP certificate you will need a full chain of trust for the mutual authentication to pass.

3) SAML and pxgrid also require the certificates to be trusted for the pxgrid subscribers to authenticate one another.

What is important is that for any node which is issued a certificate, due so via CSR and when you get the cert make sure to bind it to that node. You must bind it from the CSR window in order for the private key to be associated with that cert.

It requires a bit of maintenance every now and again, but it isn't overly complicated. Just make sure that you know what kind of authentication requires PKI and the document how to update these certificates for when they are near expiry.

parasup · ‎05-05-2023

this answer is not to the point, sorry

Marvin Rhoads · ‎11-09-2018

Thus far responders haven't mentioned your portals. If you are using any portals (Guest, BYOD, Self-Registration etc.) the certificate for them must be on and PSNs that will be serving the portal up. That could be one, two or all of your PSNs, depending on your deployment design.

For portals we typically use one certificate with multiple SANs. So like guest.company.com, byod.company.com etc. Many customer prefer to keep those distinct from the actual node server certificates used for administration and inter-node communications (i.e., ise-1.company.com, ise-2.company.com etc.).

The latter can be self-signed but personally that bugs me. If there's not an in-house CA already I try to get the customer to setup the role - it's relatively straightforward to do and within an hour you can setup a Windows Server CA server and start issuing legitimate certificates. Push trust of that via GPO and then all your in house domain PCs will trust them.

Peter Koltl · ‎05-06-2019

You can clone a certificate (and the private key) and use it on multiple nodes either for a single purpose (e. g. Admin) or multiple purposes (e. g. Admin, EAP, Portal). The only necessary condition is that this certificate contains the FQDNs of all the nodes as Subject Alternative Name (SAN).

parasup · ‎05-05-2023

What is baffling in all these community chats is that they never to the point like stackoverflow. Guys who do not understand the question OR know the answer try to answer.

When you add a Node to a Primary node:
1. Which certificate is used? Is it the admin Certificate, each certificate has a purpose and so it will be nice to know which one is used.

2. If whichever certificate is used, if the issuer of the certificate for both nodes is the same CA and the CA certs are present in the Trusted Certificates then is that good enough for the Nodes to peer up?
Please Do NOT answer if you did not understand the question OR are unsure of what happens inside ISE.

Prakash

Marvin Rhoads · ‎05-05-2023

I am quite sure what happens in ISE based on about 8 years hand-on experience with it and multiple training classes and certifications specific to the product.

Q1. Which certificate is used?

A1. Admin certificate

Q2. If whichever certificate is used, if the issuer of the certificate for both nodes is the same CA and the CA certs are present in the Trusted Certificates then is that good enough for the Nodes to peer up?

A2. Yes it is.