Solved: ISE deployment with self signed certs

REJR77 · ‎10-16-2024

Hello

Usually I use certificate signed by Internal CA, but my customer does not have an PKI and we need to deploy an ISE deployment with self signed.

Do we need to add each ISE admin cert in trusted CA list on the other node ? (PAN Admin certs on secondary Pan and vice versa?)

Thx

Rob Ingram · ‎10-16-2024

@REJR77 the certificates need to be trusted, so yes if using the self signed certificate import the admin certificate to the other node.

If the customer has no PKI environment, use a publically signed certificate for the EAP certificate and PEAP/MSCHAPv2. The clients should already have the public CA certificate in the local computer store, so would trust that certificate. Using PEAP/MSCHAPv2 is no longer recommended though, as this is blocked by Windows credentials guard. The recommendation is to use user/machine certificates for authentication, which you will need a PKI environment.

FYI, ISE does have an internal CA builtin, but that is recommended for BYOD environments.

View solution in original post

Rob Ingram · ‎10-16-2024

@REJR77 the certificates need to be trusted, so yes if using the self signed certificate import the admin certificate to the other node.

If the customer has no PKI environment, use a publically signed certificate for the EAP certificate and PEAP/MSCHAPv2. The clients should already have the public CA certificate in the local computer store, so would trust that certificate. Using PEAP/MSCHAPv2 is no longer recommended though, as this is blocked by Windows credentials guard. The recommendation is to use user/machine certificates for authentication, which you will need a PKI environment.

FYI, ISE does have an internal CA builtin, but that is recommended for BYOD environments.