cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
881
Views
0
Helpful
4
Replies

ISE as a hosted NAC solution

AMNassiri0210
Level 1
Level 1

Hi All,

I have come across a distributed ISE design where the ISE deployment is provided as a hosted NAC solution for a client.

Question is, the ISE servers will have a FQDN from the host company but the certificates issued by the customer's CA will have their DNS/Domain appended to it. How would ISE will match this certificate and accepts it. 

As far as I know ISE will look into the SAN extension of the Cert and if the SAN contains one or more DNS names, then one of the DNS names must match the FQDN of the Cisco ISE node.

In this case the SAN extension within the certificate will only have the customer DNS details and not the host company.

How would we get around this. 

Thanks.

 

1 Accepted Solution

Accepted Solutions

Here is info on ISE certificates, ISE will need to have the correct FQDN and/or IP addresses for correct DNS resolution. its not meant to deploy for hosted solution but perhaps you could setup a portal for different customers and under each portal create a different certificate? and separate certificate per PSN?
Look at Certificate group tag, use one per customer and per portal?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#task_9232D7F51A5241D28DA88F123CB63EED

The certificate is assigned under the portal settings. you could do a different

some other info

https://cs.co/ise-guides
https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId-1853178353

View solution in original post

4 Replies 4

Depends on what are you using the certificate for. If its for EAP
communication, its not necessary to have the fqdn in the cn or alternative
domains. But if you are using it for administration login then (admin or
guest portal) then its a must to avoid certs errors. So it depends on the
use of the cert

**** remember to rate useful posts

Thanks Mohammed,

The cert will be used for EAP-TLS and Portals (Guest, BYOD, Sponsor, Self-Registered Guest).

How do we go around this for the portals then?

The way I have done the CSR in the past with on-premise deployment (customer owned and managed ISE solution) is like:

CN=CompanyA-ISE

    • SAN  = DNS name - ISE1.company1.local
    • SAN  = DNS name - ISE2.company1.local
    • SAN = IP Address 10.x.x.1
    • SAN = IP Address 10.x.x.2

Now the CSR with the managed solution will have the DNS entry of the host-company and not customer's, I do not know how this would work?

Is there anything the customer can do on their infrastructure like within the CA to include the host company's DNS details etc.?

Appreciate any input.

Thanks. 

Here is info on ISE certificates, ISE will need to have the correct FQDN and/or IP addresses for correct DNS resolution. its not meant to deploy for hosted solution but perhaps you could setup a portal for different customers and under each portal create a different certificate? and separate certificate per PSN?
Look at Certificate group tag, use one per customer and per portal?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0111.html#task_9232D7F51A5241D28DA88F123CB63EED

The certificate is assigned under the portal settings. you could do a different

some other info

https://cs.co/ise-guides
https://community.cisco.com/t5/security-documents/ise-security-ecosystem-integration-guides/ta-p/3621164#toc-hId-1853178353

Hi Jason,

Thanks for your reply. 

ISE is being hosted for only a single client, I should have worded it correctly my apologies. It is managed by a third party in their network for this client. 

So that is why the DNS and FQDN questions arised, whose to use. 

We are trying to add the DNS entries of the the managed services team into clients domain (which is again managed by a third party) so ISE can resolve it. This is work in progress and I will keep you posted. 

Thanks again for your time and the links attached.