04-19-2019 07:12 AM
We are integrating ISE with DNA-C, a Rockwell IoT controller and possibly some other systems for a customer that is using a wildcard SAN certificate from DigiCert for Admin, EAP and portals. What is the best path for pxGrid certificates, in this case as the customer would prefer to avoid using an internal CA? Ideally I'd like to bounce some ideas around with someone like John Eppich.
Many thanks.
Andrew
Solved! Go to Solution.
04-22-2019 07:47 PM
Not sure if you still have issues. ISE and DNAC integration guide explains it all.
Here are the certificate requirement for ISE and DNAC to talk to each other
* The ISE CLI and GUI user accountsmust use the same username and password. * The ISE admin node certificate must contain the ISE IPaddressor fully-qualified domainname(FQDN)in either the certificate subjectname or the SAN.
* The DNA Center system certificate must contain the DNA Center appliance IP or FQDNin either the certificate subjectname or the SAN.
Not sure what version of DNAC and ISE you are using.
DNAC and ISE talks to each other using few different ways( SSH, PxGrid, APIs).
So it is not a typical PxGrid peer like others. This is to keep in mind. Please make sure your NTP is synced and DNS works for the integration.
-Krishnan
04-19-2019 08:07 AM
They want to avoid using the ISE internal CA for pxGrid? While you can use other CAs for pxGrid I wouldn't recommend it. You are just making the whole administration of pxGrid and pxGrid clients more difficult. pxGrid certificates are used for authenticating access to pxGrid. pxGrid is only internal facing so I am not sure why they would want to another CA.
Also if the wildcard cert has the wildcard in the Common Name field you will probably have 802.1x issues with some clients. I typically don't use wildcard certs for EAP authentication use case, but if the wildcard is in the SAN field it should be okay.
04-26-2019 06:49 AM
Paul,
Thanks for the response, appreciated as always.
I thought that the certificates used for ISE, DNAC, IoT controller, etc. all had to be issued by the same CA chain and as I understand it DNAC only supports one certificate, so I didn't want to issue it (or for the other systems) from ISE and have problems down the line. The customer wanted to avoid spinning up an internal CA which is the way I've done successful pxGrid integrations before. It looks from Krishnan's response and the DNAC documentation that my assumption was incorrect (and the ISE documentation provides no guidance that I can find!), so I can just use a self-signed cert in ISE, other certs issued to DNAC, IoT, etc. and mutually exchange them.
Cheers,
Andrew
04-22-2019 07:47 PM
Not sure if you still have issues. ISE and DNAC integration guide explains it all.
Here are the certificate requirement for ISE and DNAC to talk to each other
* The ISE CLI and GUI user accountsmust use the same username and password. * The ISE admin node certificate must contain the ISE IPaddressor fully-qualified domainname(FQDN)in either the certificate subjectname or the SAN.
* The DNA Center system certificate must contain the DNA Center appliance IP or FQDNin either the certificate subjectname or the SAN.
Not sure what version of DNAC and ISE you are using.
DNAC and ISE talks to each other using few different ways( SSH, PxGrid, APIs).
So it is not a typical PxGrid peer like others. This is to keep in mind. Please make sure your NTP is synced and DNS works for the integration.
-Krishnan
04-09-2020 04:23 PM
So the self-sign cert in DNAC cannot be used?
Current cert name: CN=kong
Issuer: CN=kube-ca
Authority: Self signed
Expire: xx-yy-zzzz
05-18-2020 08:35 AM
It can be used as long as the node IP addresses are in the SAN field.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide