cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

285
Views
0
Helpful
1
Replies
Bhardwajp
Beginner

Cisco ISE Certificate for admin and Sponsor Portal

Hi All,

 

Can someone please help with the difference between signed and CA certificate to be used in cisco ISE.

 

I think for all the nodes in the deployment must have admin ,EAP  authentication certificate for replication and radius authentication.is it correct ?

 

Sponsor Portal is required for all the nodes or only for PSN running services like BYOD, Posture. profiling.

 

Can we use mix certificate like self signed with few nodes and CA on other. is dere any disadvantage of it.

 

Thanks in advance.

 

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

It really depends on what the deployment is going to be used for. 

 

You can use different admin certs for each node, the default self signed will work for this. But you can also get an different CA signed cert from an internal or public PKI service if you so chose. 

 

You can only have a single EAP certificate per node, and usually most use a single cert with all the PSN nodes specified as SAN entries. This is usually an internal PKI signed cert, but could be ISE issued. I've seen some use a public CA signed cert for this. 

 

On the portal certs, you can have multiple per node if desired, they are assigned to specific portal tags when you import them. If the portal you want to use is public facing, then you want a well known public CA to sign the cert for the portals they will hit. 

 

There is no one size fits all when it comes to certificates, public certs cost money, internal signed certs require a PKI, and ISE self signed certs often require pushing a trusted root/CA chain. 


 

View solution in original post

1 REPLY 1
Damien Miller
VIP Advisor

It really depends on what the deployment is going to be used for. 

 

You can use different admin certs for each node, the default self signed will work for this. But you can also get an different CA signed cert from an internal or public PKI service if you so chose. 

 

You can only have a single EAP certificate per node, and usually most use a single cert with all the PSN nodes specified as SAN entries. This is usually an internal PKI signed cert, but could be ISE issued. I've seen some use a public CA signed cert for this. 

 

On the portal certs, you can have multiple per node if desired, they are assigned to specific portal tags when you import them. If the portal you want to use is public facing, then you want a well known public CA to sign the cert for the portals they will hit. 

 

There is no one size fits all when it comes to certificates, public certs cost money, internal signed certs require a PKI, and ISE self signed certs often require pushing a trusted root/CA chain. 


 

View solution in original post

Content for Community-Ad