Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
0
Helpful
1
Replies

Do I need to leverage a wildcard for Radius DTLS in an ISE Cluster?

bbergstrom
Level 1
Level 1

‎09-09-2024 02:22 PM

I currently have a 3 node ISE cluster, using a wildcard cert signed by our internal CA and need to renew my certs.  Do I have to use a wildcard, or can I just use 3 individual, internally CA signed certs?

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎09-09-2024 02:36 PM - edited ‎09-09-2024 02:37 PM

Wildcards are easier because it's less work for you. But it's also less secure because there is only one private key for all the nodes using that cert - compromise the private key, compromises all the nodes. Apart from the scare tactics, it's better IMHO to issue each node with its own cert. Since you're signing them with your internal PKI there is no $$ cost involved.

Replacing each ISE node's Admin cert causes that node to restart its application services - bear that in mind - depending on whether your NAD's are configured for primary and secondary services, you could do this in business hours.

Wildcard certs from public CAs (apart from let's encrypt) cost more than non-wildcard certs.

0 Helpful
Customers Also Viewed These Support Documents