Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2927
Views
15
Helpful
7
Replies

ISE certs types

Go to solution
NETAD
Level 4
Level 4

‎08-22-2018 09:08 PM

Hello, what kind of cert ls is needed on ISE for the following:

 

1-Guest Portal: wildcard publicly signed cert with the wildcard present in the CN and the hostname as one of the SANs?

 

2-EAP-TLS: issued by an internal CA? How should the cert be structured for the client, and server?

 

3-BYOD: use ISE internal CA feature?

 

4-Node registration: use self-signed or the same wildcard cert used for the guest portal?

 

Thanks

 

0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-22-2018 09:48 PM - edited ‎08-22-2018 09:48 PM

For items 1, 2 and 4 you can use the same public CA issued wildcard cert if you want.  If you do go this route, ensure that the *.ise.domain.com is in the SAN and not the CN.  The CN can be any name you want (ex. it could be CN=ise.domain.com) so long as it is also included as a SAN.  It does not need to be a node hostname.  

 

Admin, EAP, and Guest portals will all work fine with the same wildcard certificate so long as you follow the rules above.  

 

 In regards to 3 for BYOD.  I have leveraged ISE to provision certs for non corporate devices but I have not used ISE to directly issue these.  In past deployments I used ISE to call an internal Microsoft CA via scep then issue the user cert.  I've heard from peers that the ISE CA is more than capable of doing the same.  Depends what you want/need. 

 

View solution in original post

Go to solution
howon
Cisco Employee
Cisco Employee
In response to NETAD

‎08-23-2018 09:59 AM - edited ‎08-23-2018 09:59 AM

Like Damien noted, you just need to make sure the CN includes generic name such as ise.example.com. For the SAN at minimum have ise.example.com (Repeat of what was done for CN) and *.example.com (Wildcard).

For endpoint certificate, the attibributes are auto populated based on the "Certificate Template" on ISE. You can change it by going to Administration > System > Certificates, then on the left menu Certificate Authority > Certificate Template. The one named 'EAP_Authentication_Certificate_Template' is the default template that is used for the endpoints during the BYOD flow, but you can create a new one as well.

View solution in original post

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to NETAD

‎08-23-2018 01:45 PM

Not sure which platform you will be using for corp endpoints, but if it is Windows, then you can use certificate template on Windows CA to dictate how the attributes are populated with auto enrollment. As long as the certificates are mutually valid then ISE can authenticate the endpoint. I recommend using UPN or SPN for the CN field in the template for easy integration with ISE. Here is link to the Windows CA Auto enrollment:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-22-2018 09:48 PM - edited ‎08-22-2018 09:48 PM

For items 1, 2 and 4 you can use the same public CA issued wildcard cert if you want.  If you do go this route, ensure that the *.ise.domain.com is in the SAN and not the CN.  The CN can be any name you want (ex. it could be CN=ise.domain.com) so long as it is also included as a SAN.  It does not need to be a node hostname.  

 

Admin, EAP, and Guest portals will all work fine with the same wildcard certificate so long as you follow the rules above.  

 

 In regards to 3 for BYOD.  I have leveraged ISE to provision certs for non corporate devices but I have not used ISE to directly issue these.  In past deployments I used ISE to call an internal Microsoft CA via scep then issue the user cert.  I've heard from peers that the ISE CA is more than capable of doing the same.  Depends what you want/need. 

 

Go to solution
NETAD
Level 4
Level 4
In response to Damien Miller

‎08-23-2018 09:10 AM

Thanks Damien,

 

So all the ise nodes hostnames must be one of the SANs, the wildcard must be one of the SANs, and anything in the CN?

 

what about the client side certs when using eap-tls?

 

 

 

 

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to NETAD

‎08-23-2018 09:59 AM - edited ‎08-23-2018 09:59 AM

Like Damien noted, you just need to make sure the CN includes generic name such as ise.example.com. For the SAN at minimum have ise.example.com (Repeat of what was done for CN) and *.example.com (Wildcard).

For endpoint certificate, the attibributes are auto populated based on the "Certificate Template" on ISE. You can change it by going to Administration > System > Certificates, then on the left menu Certificate Authority > Certificate Template. The one named 'EAP_Authentication_Certificate_Template' is the default template that is used for the endpoints during the BYOD flow, but you can create a new one as well.

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to howon

‎08-23-2018 10:05 AM

Thanks. I was inquiring about the corporate endpoints certs structure and issuance.
0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to NETAD

‎08-23-2018 01:45 PM

Not sure which platform you will be using for corp endpoints, but if it is Windows, then you can use certificate template on Windows CA to dictate how the attributes are populated with auto enrollment. As long as the certificates are mutually valid then ISE can authenticate the endpoint. I recommend using UPN or SPN for the CN field in the template for easy integration with ISE. Here is link to the Windows CA Auto enrollment:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

 

0 Helpful

Go to solution
NETAD
Level 4
Level 4
In response to howon

‎09-28-2018 08:09 PM

Hi guys, for a 5 node distributed deployment, what kind of cert do you recommend. The client doesn’t have a pki infrastructure. Is it ok to use the self signed certs or should I have them purchase a wildcard cert with the nodes fqdns in the SAN field? 

0 Helpful
Customers Also Viewed These Support Documents