ISE - Change FQDN

llomjaria · ‎01-29-2024

I have deployed ISE with 4 nodes. 2 PANs and 2 PSNs. They are joined to my Active Directory. I made my ISE nodes as Subordinate CA for my root CA. PSNs are using my CA's signed certificates for EAP-TLS.

There FQDNs are: isepan01.example.com.ge.inc and so on.

My internal domain is: example.com.ge.inc.

I want to use wildcard certificate for BYOD portal and Admin (for Posture, AnyConnect should trust Admin certificate of ISE). I am going to buy well known certificate. For security purposes I want ISE nodes to have subdomain, for example: *.iseinfr.example.com.ge.inc

What steps should I have to do to archive my goal?

Aref Alsouqi · ‎01-29-2024

I think if you go with the wildcard cert it doesn't matter much how you name ISE portals FQDNs as long as they fall into the same main domain "example.com.ge.inc". Also, not sure what extra security you would get by adding a subdomain?. If you have the right firewall security rules in place, you would be allowing only the ports that should be allowed, and you would be restricting the source IP addresses or maybe using the user contexts to allow only specific IP addresses/users to connect to ISE admin portal.

Alternatively, if you want to use more specific certs for ISE portals, then you can purchase a multi SANs cert where you add all the portals FQDNs in it, but I think this one has a higher cost compared to the wildcard or the single SAN cert.

Arne Bier · ‎01-29-2024

The only advantage I can see for a subdomain is that you can delegate some permissions to this sub-domain, and protect the management of the parent domain. E.g. in a large organisation you might want to give access via API or GUI to managing the DNS to users. If you give users access to example.com.ge.inc then then they have access to the entire domain. But by making a sub-domain, you can limit their access to that sub-domain only. This is kind of handy if you want to say, use Letsencrypt and give the certbot API access only to the iseinfr.example.com.ge.inc subdomain. Sure, the domain in this case is quite a mouthful, but the concept is very useful.

I have been experimenting with Letsencrypt's certbot, using ISE 3.3 latest APIs and it's now possible to enrol and re-new certificates every 60 days. The certbot framework is an amazingly well written application - and the documentation is brilliant.

I have to admit I am not a fan of short-lived Admin certificates because of the upheaval it causes when you have to renew them. I wish there wasn't this update-tax involved - updating a certificate should not be such a disruptive process - web servers have been known to restart in seconds - not 10-15 minutes.

If possible I advocate using organisational PKI signed certs for ISE Admin, with the longest possible lifespan allowed in the organisation - 3 or 5 years or more. There is little to be gained by this obsession to renew certificates for services that are not external facing. It's almost as asinine as the mandate to change passwords every 90 days.

For public facing services, just use Letsencrypt (if you can integrate it) and get a new cert every 60 days.

I'd love to see ISE having native certbot/ACME support for the Portal at least.

llomjaria · ‎01-29-2024

The reason why we need to use public certificate as Admin certificate on ISE is that non-domain computers use BYOD service and after client provisioning we check posture on those clients. For posture, automatic remediation to work, AnyConnect should trust ISE Admin certificate:
https://community.cisco.com/t5/network-access-control/ise-anyconnect-posture-module-untrusted-certificate/td-p/4403278