Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3083
Views
20
Helpful
3
Replies

Cisco ISE deployment with no CA available

Go to solution
laurathaqi
Level 3
Level 3

‎03-03-2021 11:56 AM

Dear community, 

I am planning to do an ISE deployment with base license. However we do not have any Certificate Authority service available. Client says we should proceed without certificates. 

So, we must proceed with following: 

   No cert for athentication such as EAP-TLS.

   No certs for web portals.  

Since is a base licence, i can not have any other feature implemented eitherway, 802.1x and guest services. 

So my question is: other than eap-tls, which I am planning to replace it non-cert authentication such as PEAP, and web portals to proceed with acceppting the browser facing the error to the users that the page is not trusted. Do you think I am going to face any other issue to deploy base & tacacs+ license, single VM(small) Cisco ISE with zero-certificate usage?

 

Any thoughts would be highly appreciated.

 

Best,

Laura

1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-03-2021 12:03 PM - edited ‎03-03-2021 12:15 PM

Hi @laurathaqi 

Yes you can do this,ISE will have self-signed certificates for all the services. Obviously as you are aware you'll get certificate errors. As you do not have an internal CA, I'd suggest you purchase a public signed certificate for EAP and Guest portals, that way the users will not receive an error message, as the public CA is likely to already be in the trusted root store of most devices. This is better than blindly accepting a certificate error.

 

You only have 1 VM so the Admin certificate does not need to be trusted by another node. If you add another ISE node for redundancy, just export the self signed certificate and import to the trusted store on the P-PAN.

 

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎03-03-2021 12:03 PM - edited ‎03-03-2021 12:15 PM

Hi @laurathaqi 

Yes you can do this,ISE will have self-signed certificates for all the services. Obviously as you are aware you'll get certificate errors. As you do not have an internal CA, I'd suggest you purchase a public signed certificate for EAP and Guest portals, that way the users will not receive an error message, as the public CA is likely to already be in the trusted root store of most devices. This is better than blindly accepting a certificate error.

 

You only have 1 VM so the Admin certificate does not need to be trusted by another node. If you add another ISE node for redundancy, just export the self signed certificate and import to the trusted store on the P-PAN.

 

HTH

Go to solution
laurathaqi
Level 3
Level 3
In response to Rob Ingram

‎03-04-2021 12:00 AM

Hi @Rob Ingram 

 

Thank you for your valuable feedback. This is the exact information I needed to hear as a confirmation of my thoughts.

 

Best wishes,

Laura   

Go to solution
chris-lawrence
Level 1
Level 1
In response to Rob Ingram

‎08-30-2021 09:35 AM

Hi Rob,

 

Like Laura, I'm trying to do something similar but I have enabled the internal CA within ISE and don't have any issues wanting to use it. And right now within my DEV, all my personas are on the same box... May I direct you to this post please? Perhaps you can provide some guidance of how I can achieve this.

 

https://community.cisco.com/t5/network-access-control/endpoint-on-boarding-using-internal-ise-ca/m-p/4456367#M569326

 

Chris

 

0 Helpful
Customers Also Viewed These Support Documents