cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2392
Views
0
Helpful
4
Replies

Cisco Recommend Certificate for ISE distributed deployment role

pcno
Level 1
Level 1

Hi All,

What are the best practices to use a certificate for Cisco ISE services?

What Cisco Recommend for ISE distributed deployment for each role.


Example:-
Admin Portal: Better to use the Self signed certificate or Public Certificate?
EAP: Self Signed or Public Certificate?
BYOD: Public Certificate
RADIUS: Self-signed Certificate or Public Certificate?

 

Onboarding device includes all platforms , Please help me select the best cisco recommended public-private cert for each role... I heard that using public cert on EAP & RADIUS role will fail Onboarding.

 

CISCO Live videos don't tell about public-private cert per role in distributed deployment it is confusing 

Thank you.

4 Replies 4

Sven Hruza
Level 4
Level 4

I use the same public certificate for all parts.

Self-signed certificates are always a bad thing, from my point of view.

But this is my own opinion.

Arne Bier
VIP
VIP

I think this could turn into a religious debate ;-)

 

I would say though that when accessing ISE Admin web interfaces (or any https portal) it's pretty sane to get a public CA to sign that cert, only because you will have various people (admins) who will be accessing the ISE GUI with all sorts of browsers - some, like Firefox, don't use the underlying OS's cert store. So you'll get warnings if you sign the ISE Admin cert with your company's PKI ... no errors in Chrome/iE/Edge - but Firefox will claim that the site in untrustworthy. Therefore - if you can spare the few $$$ then buy a cert from a reputable CA. Problem is, you sometimes need to find the person in the organisation who can apply for these things, etc. - and there is some money involved.

My opinion regarding EAP certs is that if you can get away with using a public cert then fine. It's perfectly acceptable to have your company's PKI create ISE EAP certs if you're only going to connect clients to the network that were provisioned by that same PKI group. They push the trusted CA cert onto clients, and then you don't get warnings. 

If however you are doing 802.1X with EAP-PEAP and you want people to connect for BYOD etc -then you had better get a public CA to sign that cert, or else face endless questions about "why is my device asking me to trust this certificate thingy?"

Be careful with Subject Common Name wildcard certs for EAP purposes when used on Window devices - they don't trust them - I think Digicert has a workaround for that somehow - I have not seen one in action but I believe it's an attribute in their wildcard certs that allows Windows clients to work. 

Sadly, ISE doesn't allow us to install more than one EAP System cert - other vendors support that, which is quite handy - e.g. for the BYOD use a public signed cert, and for internal stuff like corp laptops, use another cert from internal PKI. And for mergers and acquisitions (or any migration) this can be quite handy. 

 

For portal certs it's obviously always public CA certs, unless you're testing in the lab.

 

Thank you, Arne & Sven,

According to you guys, cisco recommends using Public cert for all roles in a distributed deployment ( We don't use local AD CA, We buy from recognized CA by generating a CSR from ISE) 
So the configuration must be as follows?
EAP- Public Cert

Radius - Public Cert 
Portal - 100% public cert 
Admin - Public cert

Will this work on Apple & MAC? I heard that public cert for EAP and RADIUS  gives error in Apple & MAC. 
Can anyone confirm it works? Buying a cert is expensive and a one time step :) 

Please reply back.
Thank you. 

 

thomas
Cisco Employee
Cisco Employee
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: