Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
7
Helpful
3
Replies

ISE certificates.

Go to solution
dazza_johnson
Level 5
Level 5

‎04-19-2017 05:19 PM

Hi there. I read somewhere (I think) that it is recommended to use DIFFERENT certificates on ISE for different purposes, but I cannot recall where I heard this....... So you would use one certificate for Admin, one for EAP and one for guest - but for example you wouldn't share the same certificate between Admin AND guest.

I can see how guests would be different, using a public CA such as verisign for guest portals. But curious why not use the same certificate for Admin and EAP - if they are both signed by an internal CA? Is there a recommended way here - I can't recall where I heard it :-)

Thanks

DJ

1 Accepted Solution

Accepted Solutions

Go to solution
Ping Zhou
Level 8
Level 8

‎04-19-2017 05:41 PM

It might be helpful to go through the doc to see the differences. https://communities.cisco.com/docs/DOC-68164?mobileredirect=true

To keep thing easier, I keep my deployment as

- Admin cert to clustering and Admin portal

- EAP cert

- Cert for my device portal and sponsor portal, guest portal. (Public CA signed)


My 2 cents

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-19-2017 05:28 PM

EAP server certificates are end-user facing while the admin ones supposed to be for admin only, except that some known limitations prior to ISE 2.2 so that they also used during BYOD and posturing. We may use the same set as long as it not an issue in mixing admin-only and end-user-facing.

Go to solution
Ping Zhou
Level 8
Level 8

‎04-19-2017 05:41 PM

It might be helpful to go through the doc to see the differences. https://communities.cisco.com/docs/DOC-68164?mobileredirect=true

To keep thing easier, I keep my deployment as

- Admin cert to clustering and Admin portal

- EAP cert

- Cert for my device portal and sponsor portal, guest portal. (Public CA signed)


My 2 cents

Go to solution
dazza_johnson
Level 5
Level 5
In response to Ping Zhou

‎04-19-2017 08:18 PM

After reading the docs I am going for:

EAP - one EAP certificate shared by all ISE nodes (CN set to something like "eap.customer.com"

Admin - each ISE node to have an individually signed certificate. Thinking here is if you add another ISE node you don't have to redo the admin cert on all ISE nodes again (which forces a restart of ISE)

Portal - one portal certificate shared by the two nodes doing guest web auth (use the SANs in the certificate)

Thanks guys

DJ

Customers Also Viewed These Support Documents