cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

126
Views
0
Helpful
1
Replies
rick505d3
Beginner

ISE Certificate SAN

Hi,

I am setting up an ISE 3.1 cluster with dedicated PAN, MnT and PSN nodes for a customer. The certificate on ISE for Admin and EAP Authentication roles is signed by Corporate Issuing CA. The certificate contains the FQDN's of all the ISE nodes in the SAN field in "lowercase" like "isepsn01.example.com". Both the corp Root CA and Issuing CA are on in the ISE Trust Store. It happened so that ISE hostname was configured in "uppercase" during initial config after OVA deploy. The makes a node FQDN like "ISEPSN01.example.com". There were no issues registering all nodes to form ISE cluster.

 

The client computer (Windows 10) has wireless profile configured that lists which servers the client will accept the certificate from i.e. "Connect to these servers" field in the settings dialog. However, FQDN's of only ISE PSN nodes are listed here (GPO policy) - and all the names all in lowercase like "isepsn01.example.com". The client computer has a User certificate from the same corp CA, and has both root and issuing CA in its User trust store.

 

When the client attempts to connect to the wireless, ISE didn't show any RADIUS logs. Under Work Center -> Network Access -> Identities, this error was coming against many mac-addresses "12511 Unexpectedly received TLS alert message\; treating as a rejection by the client". The client certificate params looks good, and the Issuing CA seen is the correct one.

 

(1) Is the certificate validation on a Windows client case-sensitive?

 

(2) Do we need to add the ISE PAN and MnT node fqdn's in the client profile "Connect to these servers.." as well? Currently, only PSN's are specified here.

 

(3) Supposing (1) is true, It was simple enough to de-register one PSN node from cluster, rename its hostname to "isepsn01", and test again. This time, the ISE RADIUS logs were showing good number of failure logs with the very same reason "12511 Unexpectedly received TLS alert message\; treating as a rejection by the client". The issuing CA and other client cert details are found to be correct on this page. Event Viewer on the client computer for WLAN just logs error message with "Failure Reason:The driver disconnected while associating.". Any idea what could be the failure reason now?

 

Regards,

Rick.

1 REPLY 1
ahollifield
Beginner

  1. It is best practice to configure ISE nodes in all lower-case hostnames.  Case-sensitive OS (MacOS and Linux) will care about this; Windows is not case-sensitve.
  2. Do you really need the "connect to servers" message?  I never suggest configuring that because what if you add/remove ISE servers in the future?  What about an ISE upgrade?  Do you really want to have to re-configure your GPO for that?  Trusting the correct Root/issuing CA only should be fine in 99% of cases.
  3. If you are changing the name of the PSN, you should, leave AD, de-register from deployment, change hostname, re-register to deployment, re-join AD.  Also backup certificate files just in case.

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube