Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2039
Views
11
Helpful
3
Replies

ISE Certificate SAN

Go to solution
rick505d3
Level 1
Level 1

‎06-23-2022 06:06 AM

Hi,

I am setting up an ISE 3.1 cluster with dedicated PAN, MnT and PSN nodes for a customer. The certificate on ISE for Admin and EAP Authentication roles is signed by Corporate Issuing CA. The certificate contains the FQDN's of all the ISE nodes in the SAN field in "lowercase" like "isepsn01.example.com". Both the corp Root CA and Issuing CA are on in the ISE Trust Store. It happened so that ISE hostname was configured in "uppercase" during initial config after OVA deploy. The makes a node FQDN like "ISEPSN01.example.com". There were no issues registering all nodes to form ISE cluster.

 

The client computer (Windows 10) has wireless profile configured that lists which servers the client will accept the certificate from i.e. "Connect to these servers" field in the settings dialog. However, FQDN's of only ISE PSN nodes are listed here (GPO policy) - and all the names all in lowercase like "isepsn01.example.com". The client computer has a User certificate from the same corp CA, and has both root and issuing CA in its User trust store.

 

When the client attempts to connect to the wireless, ISE didn't show any RADIUS logs. Under Work Center -> Network Access -> Identities, this error was coming against many mac-addresses "12511 Unexpectedly received TLS alert message\; treating as a rejection by the client". The client certificate params looks good, and the Issuing CA seen is the correct one.

 

(1) Is the certificate validation on a Windows client case-sensitive?

 

(2) Do we need to add the ISE PAN and MnT node fqdn's in the client profile "Connect to these servers.." as well? Currently, only PSN's are specified here.

 

(3) Supposing (1) is true, It was simple enough to de-register one PSN node from cluster, rename its hostname to "isepsn01", and test again. This time, the ISE RADIUS logs were showing good number of failure logs with the very same reason "12511 Unexpectedly received TLS alert message\; treating as a rejection by the client". The issuing CA and other client cert details are found to be correct on this page. Event Viewer on the client computer for WLAN just logs error message with "Failure Reason:The driver disconnected while associating.". Any idea what could be the failure reason now?

 

Regards,

Rick.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎06-23-2022 08:14 AM

  1. It is best practice to configure ISE nodes in all lower-case hostnames.  Case-sensitive OS (MacOS and Linux) will care about this; Windows is not case-sensitve.
  2. Do you really need the "connect to servers" message?  I never suggest configuring that because what if you add/remove ISE servers in the future?  What about an ISE upgrade?  Do you really want to have to re-configure your GPO for that?  Trusting the correct Root/issuing CA only should be fine in 99% of cases.
  3. If you are changing the name of the PSN, you should, leave AD, de-register from deployment, change hostname, re-register to deployment, re-join AD.  Also backup certificate files just in case.

 

View solution in original post

3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎06-23-2022 08:14 AM

  1. It is best practice to configure ISE nodes in all lower-case hostnames.  Case-sensitive OS (MacOS and Linux) will care about this; Windows is not case-sensitve.
  2. Do you really need the "connect to servers" message?  I never suggest configuring that because what if you add/remove ISE servers in the future?  What about an ISE upgrade?  Do you really want to have to re-configure your GPO for that?  Trusting the correct Root/issuing CA only should be fine in 99% of cases.
  3. If you are changing the name of the PSN, you should, leave AD, de-register from deployment, change hostname, re-register to deployment, re-join AD.  Also backup certificate files just in case.

 

Go to solution
atsurtsumia
Level 1
Level 1
In response to ahollifield

‎12-27-2022 11:32 AM

Hello!

I have a very similar case. My actual hostname is in upper case example ISE01.domain.local

I raised a certificate signing request to public CA. With SAN name in both Upper and lower case. ISE01.domain.local and ise01.domain.local

After binding the certificate, I noticed that the certificate was issued to my hostname in lowercase Only. ise01.domain.local.
Now, I have to change the hostname, which is fine. But what about a public certificate? will I have to send a new CSR? or I can re-use the existing one?

Thank you

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to atsurtsumia

‎12-27-2022 12:11 PM

No you can use the same one. ALWAYS configure hostnames to lower case
Customers Also Viewed These Support Documents