Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
15
Helpful
5
Replies

ISE authentication question for global uses

Go to solution
BrianPersaud
Spotlight
Spotlight

‎11-27-2019 11:17 AM

Hi All

 

We have multiple standalone ISE instances and WLC's worldwide.  Users travel between sites. 

I want to do a  SSID with the same name at all sites that has the same setting for computer authentication that would allow computers in the Domain Computers AD group to be allowed on the internal LAN.

The issue I face presently is that each ISE instance has their own certificate.  So users would have to "forget the network" and reconnect to the SSID when they travel to a different location.

What would be the best approach to accomplish this?

 

Currently on ISE 2.4 Patch 10 and AIROS 8.5

Thanks

 

Brian

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎11-27-2019 11:33 AM

What PKI is being used to sign the EAP certificate?

If you are using the same PKI to sign the EAP certificate for the nodes worldwide, you can simply export the EAP certificate with private key from one node and then import into the other nodes and check the box to utilize it for the EAP role. It is a common practice to use the same EAP certificate on multiple PSNs for this very reason.

View solution in original post

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to BrianPersaud

‎11-27-2019 12:52 PM

Issue the certificate using one of the ISE node's as the Subject/CN and then put each other ISE node's FQDN in the SAN field of the certificate.  Then you can install and use the certificate for EAP authentication on all of your ISE nodes.  If the FQDN of the node that is doing the authentication isn't located somewhere within the certificate (i.e. SAN field), then the client will not trust it.

View solution in original post

5 Replies 5

Go to solution
jj27
Spotlight
Spotlight

‎11-27-2019 11:33 AM

What PKI is being used to sign the EAP certificate?

If you are using the same PKI to sign the EAP certificate for the nodes worldwide, you can simply export the EAP certificate with private key from one node and then import into the other nodes and check the box to utilize it for the EAP role. It is a common practice to use the same EAP certificate on multiple PSNs for this very reason.

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to jj27

‎11-27-2019 12:25 PM

Hi We use a Windows CA to sign the certs.  Got a question about the process.  Every ISE node has a different hostname.  Ex mine is torontoise.domain.local and another may be montrealise.domain.local.  I know when generating a certificate, the FQDN has to be in the CN.  Can I export this torontoise.domain.local cert and use it in the montreal ISE for EAP authentication?

 

Thanks

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to BrianPersaud

‎11-27-2019 12:52 PM

Issue the certificate using one of the ISE node's as the Subject/CN and then put each other ISE node's FQDN in the SAN field of the certificate.  Then you can install and use the certificate for EAP authentication on all of your ISE nodes.  If the FQDN of the node that is doing the authentication isn't located somewhere within the certificate (i.e. SAN field), then the client will not trust it.

Go to solution
BrianPersaud
Spotlight
Spotlight
In response to Colby LeMaire

‎11-28-2019 10:05 AM

Thanks for the detailed explanation @Colby LeMaire .   Just out of curosity, taking into account that ISE is on .local, would it be possible to use a .com public wildcard certificate as an option for the EAP authentication?  Or will it definitely need the .local?

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to BrianPersaud

‎11-28-2019 02:21 PM

Think about it from the perspective of the client side.  ISE is presenting a certificate and the client must verify that the certificate is valid and trusted.  To do this, the client side checks the following things:

- Is the certificate valid or expired?  Each certificate has a validity period.  The current date/time must be within the valid dates of the certificate.

- Was the certificate issued by a CA that the client already trusts, such as Verisign?  This is based on the client's Certificate Trust List which can be viewed through browser settings.

- Does the certificate belong to the website or server being visited?  The client looks at the FQDN or IP address being visited and verifies that the Subject (CN) matches or that one of the Subject Alternative Name (SAN) fields match.

With that said, if your certificate is issued to "ise.corp.com" but the ISE server's real FQDN in DNS is "ise.corp.local", then the client will see them as different and won't trust it.  You could manipulate DNS to resolve "ise.corp.com" to the server's IP address.  But ISE may not allow you to install the certificate unless its FQDN is in the certificate somewhere.

Customers Also Viewed These Support Documents