Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
634
Views
0
Helpful
1
Replies

ISE 2.2 Load Balancing using F5

Go to solution
nnmcnetops
Level 1
Level 1

‎10-15-2018 03:19 PM - edited ‎10-15-2018 03:33 PM

We have an ISE 2.2 deployment consisting of 2 PANs, 2 MnT, and 4 PSN nodes. We are using EAP authentication. All of the nodes have certificates issued by our CA. We are planning on utilizing the F5 to load balance our PSNs. We reviewed the Cisco and F5 Deployment Guide by Craig Hyps and got stuck on the part where we generate the CSRs. In ISE 2.2, it wants us to select the node that we want the CSR to be generated for. If we select all of our 4 PSNs, it will generate 4 CSRs with same CN and SANs (see below). However, In the document is says to generate one CSR then export, then import the signed certificate to the other nodes. Not sure how we can do that if we have 4 certs, one for each node. Any help will greatly be appreciated.

 

Hostname: ISEPSN01

Subject: CN=ise.company.com,OU=X,O=XX,L=City,ST=MD,C=US

Key Length: 2048

Timestamp: Thu, 20 Sep 2018

Friendly Name: isepsn01#Multi-Use

Used for: Multi-Use

Subject Alternative Names: DNS:ise.company.com, DNS:isepsn01.company.com DNS:isepsn02.company.com DNS:isepsn03.company.com DNS:isepsn04.company.com DNS:isesponsor.company.com DNS:isemydevice.company.com

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-15-2018 04:13 PM

You are on the right track there. All you need to do is generate a single CSR on the primary admin node. The SAN field including all the nodes in the deployment or a wildcard (I prefer a SAN wildcard with ISE in a subdomain). Based on your example cert you will use a generic name for the CN (ise.company.com) and have already included the CN in the SAN fields. This is a generally accepted good cert in the ISE community.

This cert will be able to be installed on all of your nodes, no need for a CSR per node or a different cert per node.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-15-2018 04:13 PM

You are on the right track there. All you need to do is generate a single CSR on the primary admin node. The SAN field including all the nodes in the deployment or a wildcard (I prefer a SAN wildcard with ISE in a subdomain). Based on your example cert you will use a generic name for the CN (ise.company.com) and have already included the CN in the SAN fields. This is a generally accepted good cert in the ISE community.

This cert will be able to be installed on all of your nodes, no need for a CSR per node or a different cert per node.
0 Helpful
Top