Solved: Re: ISE 2.4: What is the purpose of "Enable Server Identity Check" for remote logging?

Nadav · ‎11-13-2018

Hi everyone,

I've checked secure syslog between a PSN node and a MNT node, once with Server Identity Check and once without. As far as I can tell, it's the same TLS handshake.

Also, I could find no mention of this feature within the ISE 2.4 documentation. I'd appreciate any clarification.

Thanks!

Surendra · ‎11-13-2018

Handshake would not change since it's TLS at the end of the day. However, If the identity of the syslog server certificate (CN or SAN) is not the same as the FQDN or the IP Address configured and if the option is checked, then ISE will not establish a session with that target. FYI, this is not a feature introduced in 2.4 but is introduced in 2.0 hence you do not find it in the release notes of the ISE. Besides, such small features may not be included in the release notes.

View solution in original post

Surendra · ‎11-13-2018

Handshake would not change since it's TLS at the end of the day. However, If the identity of the syslog server certificate (CN or SAN) is not the same as the FQDN or the IP Address configured and if the option is checked, then ISE will not establish a session with that target. FYI, this is not a feature introduced in 2.4 but is introduced in 2.0 hence you do not find it in the release notes of the ISE. Besides, such small features may not be included in the release notes.

Nadav · ‎11-13-2018

Thanks. I think it's important to document this feature, since no alarms came up on the PAN when the syslogs didn't arrive correctly to the MnT node. Only when removing this checkbox could I see new syslogs on the MnT.

Just to make sure that the feature is clear for posterity's sake:

If CN of secure syslog certificate is different from FQDN of TLS server (for example MnT syslogs arriving from PSN), it drops the TLS session. Is this correct?

Jason Kunst · ‎11-13-2018

Would recommend submitting ISE feedback and/or log an enhancement