Solved: Hi,

wyfy-2015 · ‎04-04-2016

Hi,

I am using an evaluation of cisco ise 2.0 . I have two ssid .One using EAP-PEAP , another using EAP-TLS authentication and i have local microft CA. So how can i do the certificate process in ISE

Thanks

nspasov · ‎04-05-2016

I would recommend starting with these two things:

Lab Minutes video on EAP-TLS:

http://www.labminutes.com/sec0186_ise_13_wireless_dot1x_eap-tls_peap_1

EAP-TLS Deployment Guide (Cisco):

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

ISE Design Guides:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎04-05-2016

I would recommend starting with these two things:

Lab Minutes video on EAP-TLS:

http://www.labminutes.com/sec0186_ise_13_wireless_dot1x_eap-tls_peap_1

EAP-TLS Deployment Guide (Cisco):

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

ISE Design Guides:

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

I hope this helps!

Thank you for rating helpful posts!

Marvin Rhoads · ‎04-05-2016

Nobody expects the Spanish Inquisition!

https://www.youtube.com/watch?v=7WJXHY2OXGE

(Mentioned two things then listed three. :) )

wyfy-2015 · ‎04-05-2016

Hi,

Thank you Neno and Marvin . Here is another scenario. My inside domain is test.local .So the fqdn is like ise01.test.local and ise02.test.local . For the guest portal , if i want to use an external CA .( I' ll create another A record in zone test.com,ise01.test.com) .

So how can i use ise01.test.com for guest portal instead of ise01.test.local

And in this do i need to import both certificate (local and external)?

Please help

Thanks

nspasov · ‎04-06-2016

I have faced this issue before and it can be done. The important thing to remember is that the domain that ISE is joined to (For groups and users querying) can be different than the domain defined in the CLI. So, you will need to:

1. Change the domain name in CLI from test.local to test.com

2. Change the FQDN in CLI to match your external DNS record

3. Make the necessary DNS entries so the FQDN of ISE can be resolved to ise01.test.com

Also, in the future, never use .local domain :) Perhaps .net instead :)

I hope this helps!

Thank you for rating helpful posts!

wyfy-2015 · ‎04-06-2016

Hi Neno

Thanks a million .

After changing the domain name from .local to .com , still i will be able to pull the groups and users from the .local domain .( for us test.com is just a zone in dns ) .

After changing the fqdn ("ip host a.b.c.d sales sales.amer.xyz.com" ) I can create certificate for ise-01.test.com (multiuse) or

create certificate for portal( ise-01.test.com ) ,eap-tls and keep the self signed certificate ?

Now both ise are in a group , after importing new certificate register the node again ?

---------------------------------------------------------------------------------------------------------------

I have another problem . (at present for guest portal i am using ip address instead of fqdn) . When people are accessing guest portal from the laptops the pages taking ages to load

I did tcpdump on ise , i can find a lot of RST Flags

below is the sample trace

1851 15.364956 10.0.109.24 192.168.10.40 TCP 60 51978 → 8443 [RST, ACK] Seq=162 Ack=932 Win=0 Len=0

Thanks again

nspasov · ‎04-07-2016

Hmm, I am not sure about this. Question though: Why use IP address vs DNS with FQDN entry?

Thank you for rating helpful posts!

wyfy-2015 · ‎04-08-2016

Hi,

Instead of fqdn on the guest portal i used static ip .Thats what i mean

sorry for the confusion

Thanks

nspasov · ‎04-06-2016

Ha ha, good catch Marvin! :)