03-03-2021 11:56 AM
Dear community,
I am planning to do an ISE deployment with base license. However we do not have any Certificate Authority service available. Client says we should proceed without certificates.
So, we must proceed with following:
No cert for athentication such as EAP-TLS.
No certs for web portals.
Since is a base licence, i can not have any other feature implemented eitherway, 802.1x and guest services.
So my question is: other than eap-tls, which I am planning to replace it non-cert authentication such as PEAP, and web portals to proceed with acceppting the browser facing the error to the users that the page is not trusted. Do you think I am going to face any other issue to deploy base & tacacs+ license, single VM(small) Cisco ISE with zero-certificate usage?
Any thoughts would be highly appreciated.
Best,
Laura
Solved! Go to Solution.
03-03-2021 12:03 PM - edited 03-03-2021 12:15 PM
Hi @laurathaqi
Yes you can do this,ISE will have self-signed certificates for all the services. Obviously as you are aware you'll get certificate errors. As you do not have an internal CA, I'd suggest you purchase a public signed certificate for EAP and Guest portals, that way the users will not receive an error message, as the public CA is likely to already be in the trusted root store of most devices. This is better than blindly accepting a certificate error.
You only have 1 VM so the Admin certificate does not need to be trusted by another node. If you add another ISE node for redundancy, just export the self signed certificate and import to the trusted store on the P-PAN.
HTH
03-03-2021 12:03 PM - edited 03-03-2021 12:15 PM
Hi @laurathaqi
Yes you can do this,ISE will have self-signed certificates for all the services. Obviously as you are aware you'll get certificate errors. As you do not have an internal CA, I'd suggest you purchase a public signed certificate for EAP and Guest portals, that way the users will not receive an error message, as the public CA is likely to already be in the trusted root store of most devices. This is better than blindly accepting a certificate error.
You only have 1 VM so the Admin certificate does not need to be trusted by another node. If you add another ISE node for redundancy, just export the self signed certificate and import to the trusted store on the P-PAN.
HTH
03-04-2021 12:00 AM
Hi @Rob Ingram
Thank you for your valuable feedback. This is the exact information I needed to hear as a confirmation of my thoughts.
Best wishes,
Laura
08-30-2021 09:35 AM
Hi Rob,
Like Laura, I'm trying to do something similar but I have enabled the internal CA within ISE and don't have any issues wanting to use it. And right now within my DEV, all my personas are on the same box... May I direct you to this post please? Perhaps you can provide some guidance of how I can achieve this.
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide