11-25-2019 06:21 AM - edited 11-25-2019 06:21 AM
Hi All
Our current ISE node is registered as ise.xxx.local
Is it possible to use ise.xxx.com as the EAP certificate?
I presently have the .com wildcard cert used for guest and sponsor portal but I don't think it is setup correctly for EAP. So I wanted to generate a separate .com certificate for EAP.
Just to note when I tried to generate ise.xxx.com as the cname and SAN DNS name, it in ISE, I got the message:
Certificate must contain the FQDN 'ISE.xxx.local' or a matching wildcard as a DNS name in the SubjectAlternativeName (SAN) extension.
Currently on 2.4 patch 10
Thanks
Solved! Go to Solution.
11-25-2019 05:51 PM
11-25-2019 08:50 PM
What Damien said. You basically should not be using ".local" domain for even internal domains. Instead, you should be using ".net" or something else. With that said, what is done is done :) So, what you need to do is change the hostname in CLI to a FQDN with the ".com" A few things to keep in mind before doing this:
I hope this helps!
Thank you for rating helpful posts!
11-25-2019 05:51 PM
11-25-2019 08:50 PM
What Damien said. You basically should not be using ".local" domain for even internal domains. Instead, you should be using ".net" or something else. With that said, what is done is done :) So, what you need to do is change the hostname in CLI to a FQDN with the ".com" A few things to keep in mind before doing this:
I hope this helps!
Thank you for rating helpful posts!
11-28-2019 06:32 PM
Hi
Your statement "You basically should not be using ".local" domain for even internal domains. Instead, you should be using ".net" or something else" is not true.
The FQDN that you assign to an ISE node during installation can be an internal (private) domain name. e.g. ise01.local, ise02.local - this is to allow an organisation to maintain whatever internal naming convention they have. And of course you don't want to expose this to the outside world (e.g. in web portal URLs or certificates)
The fact that you may want to present guest.mycompany.com has nothing at all to do with the FQDN of the PSN nodes. You should be using static FQDN overrides in Sponsor Portal and Authorization Profiles for URL redirection.
And also use CNAME DNS records to map guest.mycompany.com to ise01.local - the TCP connection is built on the IP address of the resolved FQDN. If you design this right, then you can separate the host's FQDN from the client presentation layer.
11-28-2019 07:18 PM
11-28-2019 08:45 PM
oh I was not implying that your public certs contain a domain of .local - that will never work because a CA cannot create a cert for any private domains.
My point was that we need to separate the transport layer connectivity requirements (FQDN --> IP address) from the presentation layer requirements (cert matching to FQDN)
The easy (lazy) way out is to build ISE nodes using a public domain (e.g. myise01.mycompany.com) - it's convenient to do this because it means that everything else falls into place and you won't need to use static FQDNs for anything. But it's a simplistic design that doesn't always work for all customers. Large customers have complex DNS domains and they like to use internal domains for internal services.
11-29-2019 11:30 AM
Hi Arne-
Can you elaborate on your "is not true" statement about the usage of .local? Because it has been best practices not to use .local for a many years now with plenty of info about it on the www.
Thank you for rating helpful posts!
11-30-2019 04:46 AM
I will have to take back what i said. I misinterpreted what @Damien Miller had written and I didn’t consider the distinction of the more recent .local usage. I was not aware the .local had gained a specific usage as a TLD. I don’t use it myself but I have mostly come across customers who use private domains. That was my main objection. And then I had lumped .net and .local into the same category :-(
11-30-2019 06:55 PM
No worries and thank you for the clarification! I wanted to make sure I was not missing something here as well :)
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide