cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
611
Views
0
Helpful
2
Replies

Cisco ISE and certificates - design questions

Maciej Waliszko
Level 1
Level 1

Hello,
I am going to deploy a new ISE distributed setup (node1 - PAN(A)/MNT(S), node2 - PAN(S)/MNT(A), 2x PSN (node3/4)). All the personnas running on SNS-3615. The customer decided to buy all the required licenses - Base,Plus,Apex. I am going to configure 802.1x for wired/wireless (EAP-TLS), guest+byod (2 SSIDs flow) + posture (Anyconnect).
According to the config guide and my knowledge ISE is going to accept/install the certificate only if it contains its own hostname in CN/SAN. For guest/byod portals I need a public certificate for ISE so that the end user would not get cert warning in their browsers. This mean that ISE hostname+domain name need to be public (ie company.com and NOT company.local (MS AD domain suffix)) - option 1.
Another option (option 2) is to use MS AD domain name for ISE (company.local - Gig0) + use Gig1 with ip host alias (company.com) - guest/byod portal on Gig1. Is that right?

I also came across information that certificates for Admin portal + EAP cert needs to be public so that BYOD would work without any errors for Apple devices (cert requests/downloads run on port 8905 and use Admin portal cert, EAP cert needs to be public to avoid "profile installation failed" error message in case of Apple).
Is my understanding (all of the above) correct? To sum up:
Admin - public cert
EAP - public cert
Portal (guest,byod) - public cert
EAP-TLS client certs - private certs from MS AD pki (root chain certificates installed in the ISE in the trusted cert store).
ISE PSNs having only 1 IP/using Gig0 only.
Another question is related to portal redundancy (running on PSNs). To get that I need to use:
- 2 authz profiles with static redirection to guest1.company.com and guest2.company.com and 2 Authz policies using them (Network Access:ISE Host Name EQUALS node3 -> guest1, Network Access:ISE Host Name EQUALS node4 -> guest2)
- DNS round-robin for sponsor/mydevices portal
Is that right? Am I missing something?

 

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

@Maciej Waliszko wrote:


According to the config guide and my knowledge ISE is going to accept/install the certificate only if it contains its own hostname in CN/SAN. For guest/byod portals I need a public certificate for ISE so that the end user would not get cert warning in their browsers. This mean that ISE hostname+domain name need to be public (ie company.com and NOT company.local (MS AD domain suffix)) - option 1.

>> Correct so far


Another option (option 2) is to use MS AD domain name for ISE (company.local - Gig0) + use Gig1 with ip host alias (company.com) - guest/byod portal on Gig1. Is that right?

>> As we ascertained recently, using a TLD (top level domain) of .local is no longer a good practice. You can use something else like .net for example. There is an RFC relating to the current usage of .local

You don't need Gig1 for this. Gig1 is typically only used for guest portals if you want to host the guest portals on a DMZ (another VLAN). 

 

I also came across information that certificates for Admin portal + EAP cert needs to be public so that BYOD would work without any errors for Apple devices (cert requests/downloads run on port 8905 and use Admin portal cert, EAP cert needs to be public to avoid "profile installation failed" error message in case of Apple).
Is my understanding (all of the above) correct?

>> Yes - it's a good practice - just ensure that you don't put a wildcard in the Subject Common Name, or in the SAN. Windows Supplicant doesn't like that.

 

To sum up:
Admin - public cert
EAP - public cert
Portal (guest,byod) - public cert
EAP-TLS client certs - private certs from MS AD pki (root chain certificates installed in the ISE in the trusted cert store).
ISE PSNs having only 1 IP/using Gig0 only.

>> Yes to all above


Another question is related to portal redundancy (running on PSNs). To get that I need to use:
- 2 authz profiles with static redirection to guest1.company.com and guest2.company.com and 2 Authz policies using them (Network Access:ISE Host Name EQUALS node3 -> guest1, Network Access:ISE Host Name EQUALS node4 -> guest2)

>> Yes unless you have a load balancer. But your answer is correct. Each PSN has the same programming and you have to tell the PSN to check for its own hostname, and then return the appropriate URL that sends the clients back to that PSN.


- DNS round-robin for sponsor/mydevices portal
Is that right? Am I missing something?

>> Yes - unless, you have a load balancer. That's a whole other discussion ...

 


 

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

@Maciej Waliszko wrote:


According to the config guide and my knowledge ISE is going to accept/install the certificate only if it contains its own hostname in CN/SAN. For guest/byod portals I need a public certificate for ISE so that the end user would not get cert warning in their browsers. This mean that ISE hostname+domain name need to be public (ie company.com and NOT company.local (MS AD domain suffix)) - option 1.

>> Correct so far


Another option (option 2) is to use MS AD domain name for ISE (company.local - Gig0) + use Gig1 with ip host alias (company.com) - guest/byod portal on Gig1. Is that right?

>> As we ascertained recently, using a TLD (top level domain) of .local is no longer a good practice. You can use something else like .net for example. There is an RFC relating to the current usage of .local

You don't need Gig1 for this. Gig1 is typically only used for guest portals if you want to host the guest portals on a DMZ (another VLAN). 

 

I also came across information that certificates for Admin portal + EAP cert needs to be public so that BYOD would work without any errors for Apple devices (cert requests/downloads run on port 8905 and use Admin portal cert, EAP cert needs to be public to avoid "profile installation failed" error message in case of Apple).
Is my understanding (all of the above) correct?

>> Yes - it's a good practice - just ensure that you don't put a wildcard in the Subject Common Name, or in the SAN. Windows Supplicant doesn't like that.

 

To sum up:
Admin - public cert
EAP - public cert
Portal (guest,byod) - public cert
EAP-TLS client certs - private certs from MS AD pki (root chain certificates installed in the ISE in the trusted cert store).
ISE PSNs having only 1 IP/using Gig0 only.

>> Yes to all above


Another question is related to portal redundancy (running on PSNs). To get that I need to use:
- 2 authz profiles with static redirection to guest1.company.com and guest2.company.com and 2 Authz policies using them (Network Access:ISE Host Name EQUALS node3 -> guest1, Network Access:ISE Host Name EQUALS node4 -> guest2)

>> Yes unless you have a load balancer. But your answer is correct. Each PSN has the same programming and you have to tell the PSN to check for its own hostname, and then return the appropriate URL that sends the clients back to that PSN.


- DNS round-robin for sponsor/mydevices portal
Is that right? Am I missing something?

>> Yes - unless, you have a load balancer. That's a whole other discussion ...

 


 

Arne,

Thank you for the answers.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: