cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
943
Views
7
Helpful
3
Replies

ISE certificates.

dazza_johnson
Level 5
Level 5

Hi there. I read somewhere (I think) that it is recommended to use DIFFERENT certificates on ISE for different purposes, but I cannot recall where I heard this....... So you would use one certificate for Admin, one for EAP and one for guest - but for example you wouldn't share the same certificate between Admin AND guest.

I can see how guests would be different, using a public CA such as verisign for guest portals. But curious why not use the same certificate for Admin and EAP - if they are both signed by an internal CA? Is there a recommended way here - I can't recall where I heard it :-)

Thanks

DJ

1 Accepted Solution

Accepted Solutions

Ping Zhou
Level 8
Level 8

It might be helpful to go through the doc to see the differences. https://communities.cisco.com/docs/DOC-68164?mobileredirect=true

To keep thing easier, I keep my deployment as

- Admin cert to clustering and Admin portal

- EAP cert

- Cert for my device portal and sponsor portal, guest portal. (Public CA signed)


My 2 cents

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

EAP server certificates are end-user facing while the admin ones supposed to be for admin only, except that some known limitations prior to ISE 2.2 so that they also used during BYOD and posturing. We may use the same set as long as it not an issue in mixing admin-only and end-user-facing.

Ping Zhou
Level 8
Level 8

It might be helpful to go through the doc to see the differences. https://communities.cisco.com/docs/DOC-68164?mobileredirect=true

To keep thing easier, I keep my deployment as

- Admin cert to clustering and Admin portal

- EAP cert

- Cert for my device portal and sponsor portal, guest portal. (Public CA signed)


My 2 cents

After reading the docs I am going for:

EAP - one EAP certificate shared by all ISE nodes (CN set to something like "eap.customer.com"

Admin - each ISE node to have an individually signed certificate. Thinking here is if you add another ISE node you don't have to redo the admin cert on all ISE nodes again (which forces a restart of ISE)

Portal - one portal certificate shared by the two nodes doing guest web auth (use the SANs in the certificate)

Thanks guys

DJ