Solved: Cisco Ise distributed deployment Certificate management

Alitay1983 · ‎01-24-2017

Case:

I have an ISE deployment with two nodes

domain name: ise.publicdomain.com

Node 1: hostname: psn-1. admin primary, monitoring secondary, PSN

Node 2: hostname: psn-2. admin secondary, monitoring primary, PSN

I am planing to sign the certificate by a public CA such as Godaddy for guest, BYOD, EAP-TLS, and admin portals.

Question:

If i generated a wildcard certificate CSR from the primary node and sign it by public trusted CA with FDQN as CN and SANs:

ise.publicdomain.com, psn-1.ise.publicdomain.com, aaa.ise.publicdomain.com, *.ise.publicdomain.com

Do I need to generate a second CSR from the second node and sign it by the public trusted CA with FQDN as CN and SANs:

ise.publicdomain.com, psn-2.ise.publicdomain.com, aaa.ise.publicdomain.com, *.ise.publicdomain.com

what is a valid senario ? could it be done one certificate CSR ? does the public CA's charge us for securing two certificate ? Does any one h

Rahul Govindan · ‎01-24-2017

I have used 1 certificate in my customer deployments with the following characteristics:

Subject name: ise.domain.com

Subject Alternate names (SAN): *.domain.com, ise1.domain.com, ise2.domain.com, mydevices.domain.com,portal.domain.com

You generate 1 CSR, receive the cert from CA and install on primary node. Then export same certificate (along with private key) and import it on to the secondary. Once this is done, change the ISE admin, EAP and portal certificate to the new cert. This will restart services and start using new cert after that.

One suggestion is to to identify what SAN's that you need the public CA certificate for before requesting from CA. This will allow you to do all of the above in one go rather than multiple times.

View solution in original post

Rahul Govindan · ‎01-26-2017

Guest and BYOD portals are usually handled by a redirect ACL from the PSN handling the Auth request. So if ISE1 fails, WLC talks to ISE2 and it should send the redirect ACL to the WLC. The redirect url usually has the FQDN of the ISE servicing the request.

View solution in original post

Gagandeep Singh · ‎01-24-2017

Yes, it should work with one CSR.

Best practice of using a generic hostname for the CN field of the subject, and insert both the same generic hostname and the wildcard value into the SAN Field.

There are a few ways to import a wildcard certificate into ISE version 1.2. This procedure will follow what we expect to be the most common approach, which is to create the Certificate Signing Request (CSR) within the ISE administrative interface and submit that CSR to the signing Certificate Authority (CA). The resulting signed public key will be bound to the CSR on ISE.

The final private and public key-pair will be exported from the first ISE node, and imported on the other nodes in the deployment.

Let’s Create the Certificate Signing Request (CSR)

From the first ISE node, navigate to the certificates section of the administrative GUI. For dedicated Policy Services Nodes, the path will be “Administration > Server Certificates”. If the node is also an administrative node, the path will be “Administration > Certificates > Local Certificates”.

Step 1 Click Add > Generate Certificate Signing Request

Step 2 In the Certificate Subject enter the generic FQDN for the ISE PSNs.

Step 3 Select at least two DNS Names under the Subject Alternative Name (SAN) section

One of the DNS Names must match the CN= value from Step 2.
The other DNS Name should be the wildcard value.

Step 4 Ensure the “Allow Wildcard Certificates” check box is selected.

Step 5 Click Submit.

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

After reading the above document, you will get to know the best practice.

Regards

Gagan

PS: rate if it helps!!!!

Rahul Govindan · ‎01-24-2017

I have used 1 certificate in my customer deployments with the following characteristics:

Subject name: ise.domain.com

Subject Alternate names (SAN): *.domain.com, ise1.domain.com, ise2.domain.com, mydevices.domain.com,portal.domain.com

You generate 1 CSR, receive the cert from CA and install on primary node. Then export same certificate (along with private key) and import it on to the secondary. Once this is done, change the ISE admin, EAP and portal certificate to the new cert. This will restart services and start using new cert after that.

One suggestion is to to identify what SAN's that you need the public CA certificate for before requesting from CA. This will allow you to do all of the above in one go rather than multiple times.

Alitay1983 · ‎01-25-2017

Thx Rahul for the above.

what happens if ise1 fails and ise2 has to administer the guest and byod portals.

if the dns records for portal.domain.com resolve to ise1, how could we redirect clients to ise2 portals ?

Rahul Govindan · ‎01-26-2017

Guest and BYOD portals are usually handled by a redirect ACL from the PSN handling the Auth request. So if ISE1 fails, WLC talks to ISE2 and it should send the redirect ACL to the WLC. The redirect url usually has the FQDN of the ISE servicing the request.

Alitay1983 · ‎01-28-2017

Yes. this is right. thank you

Rahul Govindan · ‎01-29-2017

If you are provisioning certs, you are most likely using EAP-TLS (or a similar variant) for your Wireless access. For a user who has left the organization, all you need to do is revoke the certificate issued to them via ISE. This will block the users entry as the certificate revocation will be checked during network access by the supplicant. If you don't revoke the cert, the user will still be able to access the network - even if he is no longer present in the AD. There is no username/password authentication that happens during this process.