Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3165
Views
17
Helpful
7
Replies

ISE - CA-signed certificate and subordinates

Go to solution
eng.malak
Level 1
Level 1

‎05-12-2013 02:20 PM - edited ‎03-10-2019 08:25 PM

Hi

i have question about using CA-signed certificate in distributed deployment as i followed the whole steps in " trustsec how to guide" between ISE nodes and CA-Root but what i don't understand how the subordinates come to the scene , are there any certificates that i should get or put between the subordinates and the ISE nodes ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-12-2013 09:37 PM

I need to understand what is the purpose of using certificates here. If you're using certificates for deployment purpose and you need to know what all certs you need.

The Primary Admin Node must trust the Secondary Node Certificates before they can be added to Primary Admin Node. If you are using signed certificates then just the Root CA needs to be uploaded to the Primary Admin  Node. If self-signed certificates are being used then each Secondary certificate needs to be uploaded to the Trusted Root Certification Authorities store on the Primary Admin Node. The primary identity certificate must also be added to the Certificate store of the secondary.

If you'are using certificates for  wireless deployment than and you want end-points to validate the server certificate than I'd say install the root CA and subordinates on the ISE and on the end-points too.

Your subordinate CA would be MySUBCA here in the chain.

MyROOTCA-->Signed -->MySUBCA-->Signed-->MyIdentityCert.

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to eng.malak

‎05-13-2013 03:45 AM

Yes you need to install the subordinate cert on ISE that is contributing to wireless authentication.

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎05-12-2013 09:37 PM

I need to understand what is the purpose of using certificates here. If you're using certificates for deployment purpose and you need to know what all certs you need.

The Primary Admin Node must trust the Secondary Node Certificates before they can be added to Primary Admin Node. If you are using signed certificates then just the Root CA needs to be uploaded to the Primary Admin  Node. If self-signed certificates are being used then each Secondary certificate needs to be uploaded to the Trusted Root Certification Authorities store on the Primary Admin Node. The primary identity certificate must also be added to the Certificate store of the secondary.

If you'are using certificates for  wireless deployment than and you want end-points to validate the server certificate than I'd say install the root CA and subordinates on the ISE and on the end-points too.

Your subordinate CA would be MySUBCA here in the chain.

MyROOTCA-->Signed -->MySUBCA-->Signed-->MyIdentityCert.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
eng.malak
Level 1
Level 1
In response to Jatin Katyal

‎05-13-2013 02:20 AM

Hi Jatin

Thank you for you reply

I already used root certificate for nodes registration and now i am thinking about EAP  and certificate validation so it's just to add subordinate's certificate to all ISE nodes ? and the steps you provided is on the subordinate server itself or the root ?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to eng.malak

‎05-13-2013 03:45 AM

Yes you need to install the subordinate cert on ISE that is contributing to wireless authentication.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
eng.malak
Level 1
Level 1
In response to Jatin Katyal

‎05-13-2013 03:52 AM

Thank you Jatin

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to eng.malak

‎05-13-2013 03:56 AM

Your welcome. Here is a link from user guide that may help you while working on EAP.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_auth_pol.html

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
mojuneja
Level 1
Level 1
In response to Jatin Katyal

‎05-13-2013 08:56 AM

Subordinate CA comes in picture, when you have PKI wherein certificates  are being issued to the end-points from subordinate. In order to support  Distributed ISE deployment you have to create certificates with SAN.

Please refer following link-

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/byoddg.html

0 Helpful

Go to solution
harvisin
Level 3
Level 3

‎05-15-2013 11:10 PM

Hello,

I went threough your query and found the link below which would help you in solving your query.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_cert.pdf

Customers Also Viewed These Support Documents