11-27-2019 11:17 AM
Hi All
We have multiple standalone ISE instances and WLC's worldwide. Users travel between sites.
I want to do a SSID with the same name at all sites that has the same setting for computer authentication that would allow computers in the Domain Computers AD group to be allowed on the internal LAN.
The issue I face presently is that each ISE instance has their own certificate. So users would have to "forget the network" and reconnect to the SSID when they travel to a different location.
What would be the best approach to accomplish this?
Currently on ISE 2.4 Patch 10 and AIROS 8.5
Thanks
Brian
Solved! Go to Solution.
11-27-2019 11:33 AM
What PKI is being used to sign the EAP certificate?
If you are using the same PKI to sign the EAP certificate for the nodes worldwide, you can simply export the EAP certificate with private key from one node and then import into the other nodes and check the box to utilize it for the EAP role. It is a common practice to use the same EAP certificate on multiple PSNs for this very reason.
11-27-2019 12:52 PM
Issue the certificate using one of the ISE node's as the Subject/CN and then put each other ISE node's FQDN in the SAN field of the certificate. Then you can install and use the certificate for EAP authentication on all of your ISE nodes. If the FQDN of the node that is doing the authentication isn't located somewhere within the certificate (i.e. SAN field), then the client will not trust it.
11-27-2019 11:33 AM
What PKI is being used to sign the EAP certificate?
If you are using the same PKI to sign the EAP certificate for the nodes worldwide, you can simply export the EAP certificate with private key from one node and then import into the other nodes and check the box to utilize it for the EAP role. It is a common practice to use the same EAP certificate on multiple PSNs for this very reason.
11-27-2019 12:25 PM
Hi We use a Windows CA to sign the certs. Got a question about the process. Every ISE node has a different hostname. Ex mine is torontoise.domain.local and another may be montrealise.domain.local. I know when generating a certificate, the FQDN has to be in the CN. Can I export this torontoise.domain.local cert and use it in the montreal ISE for EAP authentication?
Thanks
11-27-2019 12:52 PM
Issue the certificate using one of the ISE node's as the Subject/CN and then put each other ISE node's FQDN in the SAN field of the certificate. Then you can install and use the certificate for EAP authentication on all of your ISE nodes. If the FQDN of the node that is doing the authentication isn't located somewhere within the certificate (i.e. SAN field), then the client will not trust it.
11-28-2019 10:05 AM
Thanks for the detailed explanation @Colby LeMaire . Just out of curosity, taking into account that ISE is on .local, would it be possible to use a .com public wildcard certificate as an option for the EAP authentication? Or will it definitely need the .local?
11-28-2019 02:21 PM
Think about it from the perspective of the client side. ISE is presenting a certificate and the client must verify that the certificate is valid and trusted. To do this, the client side checks the following things:
- Is the certificate valid or expired? Each certificate has a validity period. The current date/time must be within the valid dates of the certificate.
- Was the certificate issued by a CA that the client already trusts, such as Verisign? This is based on the client's Certificate Trust List which can be viewed through browser settings.
- Does the certificate belong to the website or server being visited? The client looks at the FQDN or IP address being visited and verifies that the Subject (CN) matches or that one of the Subject Alternative Name (SAN) fields match.
With that said, if your certificate is issued to "ise.corp.com" but the ISE server's real FQDN in DNS is "ise.corp.local", then the client will see them as different and won't trust it. You could manipulate DNS to resolve "ise.corp.com" to the server's IP address. But ISE may not allow you to install the certificate unless its FQDN is in the certificate somewhere.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide