cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3083
Views
20
Helpful
3
Replies

Cisco ISE deployment with no CA available

laurathaqi
Level 3
Level 3

Dear community, 

I am planning to do an ISE deployment with base license. However we do not have any Certificate Authority service available. Client says we should proceed without certificates. 

So, we must proceed with following: 

   No cert for athentication such as EAP-TLS.

   No certs for web portals.  

Since is a base licence, i can not have any other feature implemented eitherway, 802.1x and guest services. 

So my question is: other than eap-tls, which I am planning to replace it non-cert authentication such as PEAP, and web portals to proceed with acceppting the browser facing the error to the users that the page is not trusted. Do you think I am going to face any other issue to deploy base & tacacs+ license, single VM(small) Cisco ISE with zero-certificate usage?

 

Any thoughts would be highly appreciated.

 

Best,

Laura

1 Accepted Solution

Accepted Solutions

Hi @laurathaqi 

Yes you can do this,ISE will have self-signed certificates for all the services. Obviously as you are aware you'll get certificate errors. As you do not have an internal CA, I'd suggest you purchase a public signed certificate for EAP and Guest portals, that way the users will not receive an error message, as the public CA is likely to already be in the trusted root store of most devices. This is better than blindly accepting a certificate error.

 

You only have 1 VM so the Admin certificate does not need to be trusted by another node. If you add another ISE node for redundancy, just export the self signed certificate and import to the trusted store on the P-PAN.

 

HTH

View solution in original post

3 Replies 3

Hi @laurathaqi 

Yes you can do this,ISE will have self-signed certificates for all the services. Obviously as you are aware you'll get certificate errors. As you do not have an internal CA, I'd suggest you purchase a public signed certificate for EAP and Guest portals, that way the users will not receive an error message, as the public CA is likely to already be in the trusted root store of most devices. This is better than blindly accepting a certificate error.

 

You only have 1 VM so the Admin certificate does not need to be trusted by another node. If you add another ISE node for redundancy, just export the self signed certificate and import to the trusted store on the P-PAN.

 

HTH

Hi @Rob Ingram 

 

Thank you for your valuable feedback. This is the exact information I needed to hear as a confirmation of my thoughts.

 

Best wishes,

Laura   

Hi Rob,

 

Like Laura, I'm trying to do something similar but I have enabled the internal CA within ISE and don't have any issues wanting to use it. And right now within my DEV, all my personas are on the same box... May I direct you to this post please? Perhaps you can provide some guidance of how I can achieve this.

 

https://community.cisco.com/t5/network-access-control/endpoint-on-boarding-using-internal-ise-ca/m-p/4456367#M569326

 

Chris