Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
6
Helpful
9
Replies

ISE Deployment Certs

Go to solution
benolyndav
Level 4
Level 4

‎12-07-2023 09:26 AM

HI

Issue with our ISE Deployment self signed certs have expired so deployment is out of sync, self signed certs are multi use (Admin, Portal, Radius DTLS, EAP)
Is there a certain order to renew the self signed cert and get the deployment back in sync.??

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-07-2023 09:39 AM

@benolyndav here is the offical Cisco ISE guide to renew certificates and the steps required. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

FYI, it's recommended not to use the self-signed certificates in production.

View solution in original post

9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎12-07-2023 09:31 AM

@benolyndav it's the Admin cert that is used for the ISE nodes to communicate. When you replace this certificate the ISE services are restarted. Best to do this in a change window. Once all nodes have a new Admin certificate then the ISE cluster should be in sync again.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-07-2023 09:35 AM

Hi 

Thanks for that, whats the best way to do this e.g what order ?? and steps, have you any good links for this info at all ?
Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-07-2023 09:39 AM

@benolyndav here is the offical Cisco ISE guide to renew certificates and the steps required. https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217191-configuration-guide-to-certificate-renew.html

FYI, it's recommended not to use the self-signed certificates in production.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-07-2023 11:08 AM

Hi

Again Thanks

When the ISE is installed, it generates a self-signed certificate. The self-signed certificate is used for administrative access and for communication within the distributed deployment (HTTPS) as well as for user authentication (EAP). In a live system, use a CA certificate instead of a self-signed certificate.

when it says user eap authentication which users does it refer to is it ISE Admins ??

also Ive inherited this deployment whats the downside of using self signed for this please.?

Thanks



0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-07-2023 11:15 AM

@benolyndav the EAP certificate is the certificate presented to the endpoints/clients devices when authenticating using dot1x. Generally the EAP certificate issue by an Internal CA (such as from Windows AD PKI), which is then trusted by domain computers. Using a self signed certificate for EAP means the endpoints would not trust this certificate and would cause authentication issues.

Go to solution
benolyndav
Level 4
Level 4
In response to Rob Ingram

‎12-07-2023 01:00 PM

Hi

So would the PSN Nodes have different certs than the PAN node. ?? e.g for EAP

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎12-07-2023 01:03 PM - edited ‎12-07-2023 01:05 PM

@benolyndav admin certs would be different for each node, the EAP cert can be different or the same cert (multi domain cert or wildcard).

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to benolyndav

‎12-07-2023 11:25 AM

There is many certificate 

Some not all

1- admin use to access gui of ISE

2- portals cert use for web auth

3- eap cert  use for radius EAP-TLS and other EAP auth 

When you use CSR there is field you can select for which this cert. Will use.

So dont confuse admin is different than portal.

MHM

Customers Also Viewed These Support Documents