cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

262
Views
15
Helpful
7
Replies
Beginner

What certificates do I need for distributed ISE nodes?

When I am configuring a distributed ISE deployment, what certificates do I need on each node? I have a PAN, secondary PAN, and 3 PSNs in my network. I have an admin cert for all of the nodes, and an EAP, DTLS, and portal cert on the Primary admin node. Do I need all of these for every node? The documentation isn't very clear on what is needed for every node. If I have a deployment with 50 PSNs, do I need to make 150 cert requests? That seems pretty crazy.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: What certificates do I need for distributed ISE nodes?

Thus far responders haven't mentioned your portals. If you are using any portals (Guest, BYOD, Self-Registration etc.) the certificate for them must be on and PSNs that will be serving the portal up. That could be one, two or all of your PSNs, depending on your deployment design.

 

For portals we typically use one certificate with multiple SANs. So like guest.company.com, byod.company.com etc. Many customer prefer to keep those distinct from the actual node server certificates used for administration and inter-node communications (i.e., ise-1.company.com, ise-2.company.com etc.).

 

The latter can be self-signed but personally that bugs me. If there's not an in-house CA already I try to get the customer to setup the role - it's relatively straightforward to do and within an hour you can setup a Windows Server CA server and start issuing legitimate certificates. Push trust of that via GPO and then all your in house domain PCs will trust them.

7 REPLIES 7
pan Cisco Employee
Cisco Employee

Re: What certificates do I need for distributed ISE nodes?

You can have one certificate per node or a wildcard certificate. One cert can be used for all three role admin,portal,eap

Beginner

Re: What certificates do I need for distributed ISE nodes?

So, just an admin certificate for each PSN and secondary PAN will do it all? I don't need an EAP, DTLS, etc cert for each node in the deployment?

pan Cisco Employee
Cisco Employee

Re: What certificates do I need for distributed ISE nodes?

Each node will have a self signed certificate.  Each node needs its own certificate. Certificate can have following role:

 

Admin

Portal

EAP

PXgrid

RADIUS DTLS

 

Portal role is needed for guest, byod ....

EAP is needed for dot1x

Admin is used while accessing GUI of ISE and when ISE are in deployement.

 

Admin certificate should be unique if you are not having wildcard certificate. EAP can be shared.

Cisco Employee

Re: What certificates do I need for distributed ISE nodes?

Trying to keep it short :

1. To join the a node in a distributed deployment, you need at least 1 certificate with Admin usage assigned to it.
2. If the node you are joining is intended for RADIUS authentications or Portal Service (Guest/BYOD/Posture) or pxGrid, then you ca assign those specific usages to a single certificate (you can use the same one that you used for admin as well) or you can assign those usages to different certificates by installing them first.

Having said that, Each feature has a specific requirement for a certificate and you can use the certificate if only that requirement is met.

For example, Admin certificate needs to have the complete FQDN of the node as CN or SAN field (adding IP address as well in the SAN is usually recommended.) . pxGrid requires the certificate to have "Client Authentication" as well in the Enhanced Key usage etc.

At the end of the day, each of the ISE nodes is separate server and it needs its own set of certificates to use when requested by a feature.
Rising star

Re: What certificates do I need for distributed ISE nodes?

Hi,

 

The certs you need to manage are entirely a matter of the functionality you demand of your deployment. Here are some examples:

 

1) Secure syslogs remote targets: When you configure to validate certificates (under logging targets), it requires that the trust chain public certs are located in the Trusted Certificates and each node must have an Admin role cert which is issued by this trust chain. If you choose to ignore validation, this isn't a problem. You will need to check mark that you are willing to use the Trusted Certs for authenticating syslogs.

 

2) EAP-TLS. Again, you need to have an up to date Trusted Certificates store, and you need to enable the trusted certs for EAP client authentication. When a supplicant will challenge your PSN's EAP certificate you will need a full chain of trust for the mutual authentication to pass.

 

3) SAML and pxgrid also require the certificates to be trusted for the pxgrid subscribers to authenticate one another.

 

What is important is that for any node which is issued a certificate, due so via CSR and when you get the cert make sure to bind it to that node. You must bind it from the CSR window in order for the private key to be associated with that cert.

 

It requires a bit of maintenance every now and again, but it isn't overly complicated. Just make sure that you know what kind of authentication requires PKI and the document how to update these certificates for when they are near expiry.

Hall of Fame Master

Re: What certificates do I need for distributed ISE nodes?

Thus far responders haven't mentioned your portals. If you are using any portals (Guest, BYOD, Self-Registration etc.) the certificate for them must be on and PSNs that will be serving the portal up. That could be one, two or all of your PSNs, depending on your deployment design.

 

For portals we typically use one certificate with multiple SANs. So like guest.company.com, byod.company.com etc. Many customer prefer to keep those distinct from the actual node server certificates used for administration and inter-node communications (i.e., ise-1.company.com, ise-2.company.com etc.).

 

The latter can be self-signed but personally that bugs me. If there's not an in-house CA already I try to get the customer to setup the role - it's relatively straightforward to do and within an hour you can setup a Windows Server CA server and start issuing legitimate certificates. Push trust of that via GPO and then all your in house domain PCs will trust them.

Highlighted
Contributor

Re: What certificates do I need for distributed ISE nodes?

You can clone a certificate (and the private key) and use it on multiple nodes either for a single purpose (e. g. Admin) or multiple purposes (e. g. Admin, EAP, Portal). The only necessary condition is that this certificate contains the FQDNs of all the nodes as Subject Alternative Name (SAN).