cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1624
Views
0
Helpful
3
Replies

ISE 2.4: What is the purpose of "Enable Server Identity Check" for remote logging?

Nadav
Level 7
Level 7

Hi everyone,

 

I've checked secure syslog between a PSN node and a MNT node, once with Server Identity Check and once without. As far as I can tell, it's the same TLS handshake.

 

Also, I could find no mention of this feature within the ISE 2.4 documentation. I'd appreciate any clarification.

 

Thanks!

1 Accepted Solution

Accepted Solutions

Surendra
Cisco Employee
Cisco Employee
Handshake would not change since it's TLS at the end of the day. However, If the identity of the syslog server certificate (CN or SAN) is not the same as the FQDN or the IP Address configured and if the option is checked, then ISE will not establish a session with that target. FYI, this is not a feature introduced in 2.4 but is introduced in 2.0 hence you do not find it in the release notes of the ISE. Besides, such small features may not be included in the release notes.

View solution in original post

3 Replies 3

Surendra
Cisco Employee
Cisco Employee
Handshake would not change since it's TLS at the end of the day. However, If the identity of the syslog server certificate (CN or SAN) is not the same as the FQDN or the IP Address configured and if the option is checked, then ISE will not establish a session with that target. FYI, this is not a feature introduced in 2.4 but is introduced in 2.0 hence you do not find it in the release notes of the ISE. Besides, such small features may not be included in the release notes.

Thanks. I think it's important to document this feature, since no alarms came up on the PAN when the syslogs didn't arrive correctly to the MnT node. Only when removing this checkbox could I see new syslogs on the MnT.

 

Just to make sure that the feature is clear for posterity's sake:

If CN of secure syslog certificate is different from FQDN of TLS server (for example MnT syslogs arriving from PSN), it drops the TLS session. Is this correct?

Would recommend submitting ISE feedback and/or log an enhancement