Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5940
Views
10
Helpful
5
Replies

Best practices around certificate usage with pxGrid

Go to solution
andrew333
Level 4
Level 4

‎04-19-2019 07:12 AM

We are integrating ISE with DNA-C, a Rockwell IoT controller and possibly some other systems for a customer that is using a wildcard SAN certificate from DigiCert for Admin, EAP and portals. What is the best path for pxGrid certificates, in this case as the customer would prefer to avoid using an internal CA? Ideally I'd like to bounce some ideas around with someone like John Eppich.

 

Many thanks.

Andrew

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎04-22-2019 07:47 PM

Not sure if you still have issues. ISE and DNAC integration guide explains it all.

Here are the certificate requirement for ISE and DNAC to talk to each other

* The ISE CLI and GUI user accountsmust use the same username and password. * The ISE admin node certificate must contain the ISE IPaddressor fully-qualified domainname(FQDN)in either the certificate subjectname or the SAN.

* The DNA Center system certificate must contain the DNA Center appliance IP or FQDNin either the certificate subjectname or the SAN.

Not sure what version of DNAC and ISE you are using.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-1/install/b_dnac_install_1_1_0P2/b_dnac_install_1_1_0P2_chapter_010.pdf

DNAC and ISE talks to each other using few different ways( SSH, PxGrid, APIs).

So it is not a typical PxGrid peer like others. This is to keep in mind. Please make sure your NTP is synced and DNS works for the integration.

 

-Krishnan

View solution in original post

5 Replies 5

Go to solution
paul
Level 10
Level 10

‎04-19-2019 08:07 AM

They want to avoid using the ISE internal CA for pxGrid?  While you can use other CAs for pxGrid I wouldn't recommend it.  You are just making the whole administration of pxGrid and pxGrid clients more difficult.  pxGrid certificates are used for authenticating access to pxGrid.  pxGrid is only internal facing so I am not sure why they would want to another CA.

 

Also if the wildcard cert has the wildcard in the Common Name field you will probably have 802.1x issues with some clients.  I typically don't use wildcard certs for EAP authentication use case, but if the wildcard is in the SAN field it should be okay.

Go to solution
andrew333
Level 4
Level 4
In response to paul

‎04-26-2019 06:49 AM

Paul,

Thanks for the response, appreciated as always.

 

I thought that the certificates used for ISE, DNAC, IoT controller, etc. all had to be issued by the same CA chain and as I understand it DNAC only supports one certificate, so I didn't want to issue it (or for the other systems) from ISE and have problems down the line. The customer wanted to avoid spinning up an internal CA which is the way I've done successful pxGrid integrations before. It looks from Krishnan's response and the DNAC documentation that my assumption was incorrect (and the ISE documentation provides no guidance that I can find!), so I can just use a self-signed cert in ISE, other certs issued to DNAC, IoT, etc. and mutually exchange them.

 

Cheers,

Andrew

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎04-22-2019 07:47 PM

Not sure if you still have issues. ISE and DNAC integration guide explains it all.

Here are the certificate requirement for ISE and DNAC to talk to each other

* The ISE CLI and GUI user accountsmust use the same username and password. * The ISE admin node certificate must contain the ISE IPaddressor fully-qualified domainname(FQDN)in either the certificate subjectname or the SAN.

* The DNA Center system certificate must contain the DNA Center appliance IP or FQDNin either the certificate subjectname or the SAN.

Not sure what version of DNAC and ISE you are using.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-1/install/b_dnac_install_1_1_0P2/b_dnac_install_1_1_0P2_chapter_010.pdf

DNAC and ISE talks to each other using few different ways( SSH, PxGrid, APIs).

So it is not a typical PxGrid peer like others. This is to keep in mind. Please make sure your NTP is synced and DNS works for the integration.

 

-Krishnan

Go to solution
rkhan786
Level 1
Level 1
In response to kthiruve

‎04-09-2020 04:23 PM

So the self-sign cert in DNAC cannot be used?

 

Current cert name: CN=kong

Issuer: CN=kube-ca

Authority: Self signed

Expire: xx-yy-zzzz

 

 

0 Helpful

Go to solution
Aileron88
Level 1
Level 1
In response to rkhan786

‎05-18-2020 08:35 AM

It can be used as long as the node IP addresses are in the SAN field.

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents