08-09-2016 06:02 AM
In regards to the certificates used for inter-node communication in a distributed deployment...what is our recommended strategy? Self-signed for longevity, or publicly signed? I had a TAC case open for a customer a few weeks back where it was highly recommended we use self-signed so they won't expire anytime soon. However, I just saw this note in the ISE 2.0 admin guide...
If you use self-signed certificates to secure communication between ISE nodes in a deployment, when BYOD users move from one location to another, EAP-TLS user authentication fails. For such authentication requests that have to be serviced between a few PSNs, you must secure communication between ISE nodes with an externally-signed CA certificate or use wildcard certificates signed by an external CA.
Solved! Go to Solution.
08-12-2016 07:34 PM
That paragraph is under the section Install Trusted Certificates for Cisco ISE Inter-node Communication so it makes sense to talk about inter-node even though it's poorly worded. I think it might be referring to some use cases where the same certificates are used for both admin and EAP.
08-09-2016 10:10 AM
Hi Brad,
I am not sure in what context TAC mentioned that self-signed would be better. If this is to prevent easy renewal of certificates or not, I am not sure. It is important that your certificates do not expire for any services to work.
From a security standpoint and smooth continuity of services supporting mobility of users between nodes, it is important to have the root CA of all the PSN's installed in the endpoints. Usually in an enterprise, there could be one root CA or intermediate CA that issues the certificates to the ISE servers. If using internal or external CA, then you have to make sure these root CA certificates are located in the trusted root store of your device.
Also remember for a self-signed certificates, the root CA for self-signed certificates is itself. So you need to make sure these self-signed certificates across PSN's are installed in the endpoints to prevent authentication failures for mobile users. So, to easy certificate provisioning and better security it is an industry recommended approach to use CA signed certificates.
Hope this clarifies your question.
Thanks
Krishnan
08-09-2016 10:29 AM
That’s not what I’m asking. I always use publicly signed certs for EAP and HTTPS authentication. This question is around the inter-node communication between the Admin node and the other servers in a distributed deployment.
Thank you,
Brad Landrum
Systems Engineer | Cisco Systems
08-09-2016 01:39 PM
Hi Brad,
I understand. But the note from the documentation does not mean inter-node communication, it means endpoint to many PSN's, not sure why they had to start with a preamble that might be misleading. I will verify this to the documentation person.
That said, only initially during BYOD device registration, inter-node communication happens between PSN and PAN for BYOD registration during onboarding. Later this is synced from PAN to other PSN's. Also for CoA triggered by admins, PAN-PSN communication happens.
Please see the slide for inter-node communication in ISE
Also remember when you are using EAP-TLS and verify server certificates, you can use SAN to create wild card certificates for PSN's so that the BYOD devices can be authenticated no matter what the PSN is.
Hope this clarifies.
Thanks
Krishnan
08-09-2016 01:45 PM
The way you describe the process is what I previously believed. I was confused by the opening sentence of the section I copied / pasted above "secure communications between ISE nodes in a deployment". If we could clarify that section to remove references to "between ISE nodes" and instead state "between client and PSN", that would be helpful. Thanks!
08-12-2016 07:34 PM
That paragraph is under the section Install Trusted Certificates for Cisco ISE Inter-node Communication so it makes sense to talk about inter-node even though it's poorly worded. I think it might be referring to some use cases where the same certificates are used for both admin and EAP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide