Re: Cisco ISEv3.1 certificates csr for guest cwa

ivan.martin · ‎01-15-2023

Hi I'm Ivan

I have an ISE v3.1 which I wolud like to use for guest service using cwa with sponsor. My issue is:

I need to generate csr for guest cwa with third party (public company). My nodes are:

ise1.company.local/ise2.company.local. My portal's name is : portalguest.company.com.

Internal dns resolv ise1, ise2 and portalguest. (Type A and PTR)

How can I generate csr to sign this with third party. Should I attach the SAN like this?

SAN1: ise1.company.com

SAN2: ise2.company.com

Once, provider send me the certificate signing, but when I tried to uplodad this to ISE, ISE showed an error with private key file.

Thanks you for your recommendations.

Best regards. Ivan.

Arne Bier · ‎01-15-2023

Hello Ivan

Your DNS domain that you used for the ISE node creation (i.e. as seen on the ISE CLI - *.company.local) has nothing to do with the DNS domain that is used for ISE Web Portals.

You should get a Portal certificate that relates to the DNS entries that you plan to use. e.g.

Subject CN = ISE Guest (this doesn't have to be a FQDN)

SAN 1: guest1.company.com (ISE Node 1)

SAN 2: guest2.company.com (ISE Node 2)

SAN 3: sponsor.company.com (Sponsor Portal)

Let's say ISE 1 has gig0 for all traffic. And ISE 2 also uses gig0 for all traffic. Then create DNS entries

guest1.company.com -> ISE1 gig0 IP address

guest2.company.com -> ISE 2 gig0 IP address

sponsor.company.com -> ISE1 gig0 IP address (there is no HA in this case - needs manual DNS fixup if needed)

I would advise against creating an offline CSR with a provider, because then they have your private key. The safer approach would be to create the CSR in ISE. Then send the CSR to the provider. They supply the cert and a CA chain (which you install in ISE Trusted Certificate Store). And that's that.

ivan.martin · ‎01-15-2023

HI Arne

It's a bit confuse. Guest1 and Guest2 should be resolved by public dns or using on ISE ip host. guest1/guest2 portalguest.company.com?. We will have just only name portalguest.company.com that will resove by public dns.

guest1.company.com -> ISE1 gig0 IP address

guest2.company.com -> ISE 2 gig0 IP address

Thanks you. Regards.

Arne Bier · ‎01-15-2023

Yes this is a common point of confusion. But it's not an issue at all. Do not confuse the public IP address space with DNS domains.

You can operate the same DNS domain (e.g. *.company.com) for both internal use and external (public) use. If you want to get a cert from a public CA then you can only get a cert for a public domain (that you can prove ownership of).

You do not expose the ISE interface to the internet (or to a public IP address) - you use RFC1918 for guest.

let's say your DNS looks like this now:

ise1.company.local - 10.10.10.10

ise2.company.local - 10.10.10.11

Then all you do is to add two more A records in your INTERNAL FACING DNS Zone for *.company.com

guest1.company.com -> 10.10.10.10

guest2.company.com -> 10.10.10.11

When clients get redirected by ISE to Guest Portal on ISE 1, then the clients will try to resolve https://guest1.company.com:8443/..." - the DNS comes back with 10.10.10.10 and then the client establishes a TCP session to 10.10.10.10. And https rides on top of that TCP connection.

You do NOT have to publish guest1 and guest2 into the PUBLIC DNS space.

Having said that, there is nothing wrong with that approach, since you can then include in the Guest DHCP settings the public DNS server like 8.8.8.8 (instead of exposing your company's DNS server for Guest users). When a guest resolves guest1.company.com, then the result is still 10.10.10.10 - and the TCP connection follows as normal. This is not a security exposure - you're not making yourself vulnerable to the whole world!!! Since 10.10.10.10 means nothing to someone who is not on your network. So it's not an issue.