Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1915
Views
1
Helpful
5
Replies

Certificates for inter-node communication

Go to solution
blandrum
Cisco Employee
Cisco Employee

‎08-09-2016 06:02 AM

In regards to the certificates used for inter-node communication in a distributed deployment...what is our recommended strategy?  Self-signed for longevity, or publicly signed?  I had a TAC case open for a customer a few weeks back where it was highly recommended we use self-signed so they won't expire anytime soon.  However, I just saw this note in the ISE 2.0 admin guide...

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Manage Certificates [Cisco Identity Services Engine] …

If you use self-signed certificates to secure communication between ISE nodes in a deployment, when BYOD users move from one location to another, EAP-TLS user authentication fails. For such authentication requests that have to be serviced between a few PSNs, you must secure communication between ISE nodes with an externally-signed CA certificate or use wildcard certificates signed by an external CA.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-12-2016 07:34 PM

That paragraph is under the section Install Trusted Certificates for Cisco ISE Inter-node Communication so it makes sense to talk about inter-node even though it's poorly worded. I think it might be referring to some use cases where the same certificates are used for both admin and EAP.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎08-09-2016 10:10 AM

Hi Brad,

I am not sure in what context TAC mentioned that self-signed would be better. If this is to prevent easy renewal of certificates or not, I am not sure. It is important that your certificates do not expire for any services to work.

From a security standpoint and smooth continuity of services supporting mobility of users between nodes, it is important to have the root CA of all the PSN's installed in the endpoints. Usually in an enterprise, there could be one root CA or intermediate CA that issues the certificates to the ISE servers. If using internal or external CA, then you have to make sure these root CA certificates are located in the trusted root store of your device.

Also remember for a self-signed certificates, the root CA for self-signed certificates is itself. So you need to make sure these self-signed certificates across PSN's are installed in the endpoints to prevent authentication failures for mobile users. So, to easy certificate provisioning and better security it is an industry recommended approach to use CA signed certificates.

Hope this clarifies your question.

Thanks

Krishnan

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to kthiruve

‎08-09-2016 10:29 AM

That’s not what I’m asking.  I always use publicly signed certs for EAP and HTTPS authentication.  This question is around the inter-node communication between the Admin node and the other servers in a distributed deployment.

Thank you,

Brad Landrum

Systems Engineer | Cisco Systems

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to blandrum

‎08-09-2016 01:39 PM

Hi Brad,

I understand. But the note from the documentation does not mean inter-node communication, it means endpoint to many PSN's, not sure why they had to start with a preamble that might be misleading. I will verify this to the documentation person.

That said, only initially during BYOD device registration, inter-node communication happens between PSN and PAN for BYOD registration during onboarding. Later this is synced from PAN to other PSN's. Also for CoA triggered by admins, PAN-PSN communication happens.

Please see the slide for inter-node communication in ISE

Cisco Identify Services Engine Hardware Installation Guide, Release 2.0 - Cisco ISE Ports Reference [Cisco Identity Se…

Also remember when you are using EAP-TLS and verify server certificates, you can use SAN to create wild card certificates for PSN's so that the BYOD devices can be authenticated no matter what the PSN is.

Hope this clarifies.

Thanks

Krishnan

0 Helpful

Go to solution
blandrum
Cisco Employee
Cisco Employee
In response to kthiruve

‎08-09-2016 01:45 PM

The way you describe the process is what I previously believed.  I was confused by the opening sentence of the section I copied / pasted above "secure communications between ISE nodes in a deployment".  If we could clarify that section to remove references to "between ISE nodes" and instead state "between client and PSN", that would be helpful.  Thanks!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-12-2016 07:34 PM

That paragraph is under the section Install Trusted Certificates for Cisco ISE Inter-node Communication so it makes sense to talk about inter-node even though it's poorly worded. I think it might be referring to some use cases where the same certificates are used for both admin and EAP.

0 Helpful
Customers Also Viewed These Support Documents