Solved: ISE Certificates - Roaming Between Nodes

jonhux891 · ‎08-02-2021

What is the best method for deploying EAP certificates within a multi-node deployment where users will roam between sites? Each site has an ISE PSN and the Admin and MGMT nodes are in a DC.

The root CA of the certs that are presented to clients during authentication are pushed to the device VIA the MDM solution. If each node is signed individually by the same CA, will the users be able to roam without having to accept another certificate for EAP or is it best to use a multi-node cert with each Node listed as a SAN in the same CSR?

Thanks

Jon

thomas · ‎08-06-2021

You have ensured that the root CA cert for the ISE deployment is on each endpoint so they will trust any of the ISE nodes so that is fantastic. This will work regardless of how you do choose to implement you ISE certs - individual ISE node name per cert or a wildcard cert for the entire deployment.

View solution in original post

balaji.bandi · ‎08-02-2021

Same Cert should work for your Roaming solution you looking to deploy.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jonhux891 · ‎08-02-2021

Hi balaji.bandi

Thanks for the quick reply, when you say 'same cert'. Do you mean a single cert with each node list as a SAN or each node can have individual certs that are signed by the same CA?

Cheers,

Jon

thomas · ‎08-06-2021

You have ensured that the root CA cert for the ISE deployment is on each endpoint so they will trust any of the ISE nodes so that is fantastic. This will work regardless of how you do choose to implement you ISE certs - individual ISE node name per cert or a wildcard cert for the entire deployment.

Mohammed al Baqari · ‎08-07-2021

Hi,

Both deployments should work. The main point that you need to have the
certificate chain in the trusted store of the clients. Whether it's same CA
or multiple CAs should be fine.

**** please remember to rate useful posts