ISE 1.2 and WildCard Cert

eric.lessard · ‎09-10-2013

hello,

i"ve found a great post from Aaron Woland about how to make/install/use Wildcard certificate.

http://www.networkworld.com/community/blog/what-are-wildcard-certificates-and-how-do-i-use-them-ciscos-ise

but there is something that was not answered by his post.

Can i use WildCard cert to register node to an ISE deployement? Aka adding a Monitor only node to a admin only node

create CSR, receiving Cert from CA, adding CA root, binding cert to CA root then exporting key, then importin on Mon node then try to register mon node? my first test didnt go well.

Any input would be appreciated

Saurav Lodh · ‎09-11-2013

new ISE 1.2 does support Wildcard cert server. Please refer to below discussion as well

https://supportforums.cisco.com/thread/2233071

Ravi Singh · ‎09-11-2013

A wildcard certificate uses a wildcard notation (an asterisk and period before the domain name) and allows the certificate to be shared across multiple hosts in an organization. ISE 1.2 support the use of wildcard certificate. For more information over configuration you can see the below link

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html#wp1171325

blenka · ‎09-18-2013

No you should not be able to register the node in ISE by wildcard certi, because for my knowledge certificates are used for secure the link between node and the ISE device or network.

Tarik Admani · ‎09-18-2013

Basant,

I agree with what you are saying but it seems that your statement contradicts the write up on the Cisco user guide for 1.2, there are no limitations and one of the benefits stated by the doc is that you can use wildcard certs as a cost saving measure which will allow you to install the cert on all ISE nodes.

I do have a corporate wildcard certificate and I will attempt to register two nodes together and see what the result is.

Also the true benefit of a wildcard cert is where the CN is *.domain.com, you should not have to generate a CSR where the CN=iseblah.domain.com with a SAN of *.domain.com, I do not think that is a cost effective wildcard cert since the CN has the fqdn of the ISE node.

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_man_cert.html

Tarik Admani
*Please rate helpful posts*

bberry · ‎02-18-2014

Hello all,

I am in the process of a new ISE deployment and have come across an isue with the wildcard cert and generating the CSR. I have also spoken with TAC and the are telling me the same thing I am reading in the Cisco DOC so am missing somethng somewhere.

I am being told that ISE REQUIRED a FQDN for the CN and then you place the wildcard in teh SAN. So far two different CA providers are tellng me I cannot generate a wild card certificate this way. How has anyone else gotten this to work. When I pressed TAC I was told it would probably work with the CN containing the wildcard but there have been reported issues specifically with microsoft clients. Considering the cost of the cert is several hundred dollars I do not want to be wrong.

Brent

Nick Lavender · ‎10-27-2015

Hi Tarik,

Did you have any luck with this?

I've got a customer with ISE 1.2.198 and has provided me with a wildcard cert which has the following details:

CN=*.abc.local

SAN=DNS Name ise1.abc.local

SAN=DNS Name ise2.abc.local

SAN=Another 15 or so DNS entries.

Customer is using AD EAP-PEAP(MSCHAPv2) authentication.

Is it possible to simply bind this to each of the ISE nodes (2) as appose to the standard CSR and separate cert for each?

TIA,

Nick