Certs in Cisco ISE

Gioacchino · ‎05-02-2024

Excellent article @thomas (weird I cannot tag him),

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897#toc-hId--379707072

I wonder if the STALE topic has been taken into account (I don't seem to see it), especially when it comes to EAP certificates, where are explicitly told that their CNs might have nothing to do with the ISE nodes names (and this may definitely trigger the STALE flag)

Gio

Arne Bier · ‎05-02-2024

@Gioacchino - there is a previous posting about this that explains why Cisco did this. It's apparently helping us to find certs that are still valid (in terms of date range) but not effectively aligned to an ISE node. I personally don't like this feature because I have found it to be wrong in cases of Guest Portals. ISE gets confused when the PSN node name does not match the cert's CN (two things that have nothing to do with each other and don't need to be identical).

Gioacchino · ‎05-03-2024

Hi @Arne Bier ,

I have just wondered if this algorithm would apply to EAP auth certs as well, where indeed the CN of the returned cert might have nothing to do with the ISE nodes and the names given it.

My understanding is that Cisco devs didn't do any distinction.

Regards, Gio

Arne Bier · ‎05-08-2024

Unfortunately I don't know how this mechanism works or why we need it.