Solved: ISE distributed deployment Certificate Woes

hisham683 · ‎08-19-2021

We're in the beginning stages of converting the client's wireless environment from separate controllers at each site to a centralized controller with flexconnect.

We'll be using ISE for 802.1x authentication as well as Guest access. Each site will have a local PSN node that the clients will authenticate against locally and will potentially end up with around 80 PSN nodes.(We realize 50 is the maximum number of nodes in a deployment so we will end up with a separate deployment at some point)

The issue is installing a certificate on each node that the clients trust when it's signed by the Org's root CA in order for clients to authenticate successfully. As we add more PSNs we have to make sure that PSN has the required certificate in it and we have to create a new CSR just for that node and issue it a cert.

One time we thought we can just create a wildcard cert that propagates to all the nodes. However it turns out Windows clients native supplicant doesn't seem to trust wildcards when authenticating against ISE and that idea failed.

At this point the only logical step is that everytime we add a node we'd have to create a CSR for a multisan certificate containing hostnames of all the nodes and then reinstall the cert on all the nodes manually one by one, but eventually we would have one cert in the end with all the SANs needed and we can just renew that one once a year, but we'd still have to re-import to each node manually.

So is there a better way to do this?

Milos_Jovanovic · ‎08-19-2021

Hi @hisham683,

Regarding certificates, if it will be issued by your internal CA, I believe restriction of 397 days of validity does not apply. This restriction should be applicable only for public CAs. So, in theory, you could generate one certificate, signed by internal PKI, containing multiple SANs (of all of your PSNs) whic would last for e.g. 3 years. This certificate should be tied to EAP (and prefferably to Admin) role. This certificate would then need to be imported and replaced on each PSN individually.

For Guest access, most common solution is to use certificate signed by public CA, due to the nature of the setup (those should be Guest users, who do not trust your internal PKI). This certificate can also be wildcard, it that suits you better. Managing of this certificate is much easier, as you are uploading it only to the PAN, and it will get distributed across all PSNs automatically, once you tie it up with specific portal tag.

If I may ask, why do you want to have PSN on each location, ending up with so many PSNs? I'm not aware that someone had a need for 80 PSNs (I have a global customer, spreading across 3 continents, with 70k+ users running on 10 nodes total). With so many nodes, it will be quite pricey solution, both in terms of initial investment and later operations.

BR,

Milos

View solution in original post

hslai · ‎08-21-2021

Adding to Milos's...

here is a guide on How To Implement Digital Certificates in ISE

View solution in original post

Milos_Jovanovic · ‎08-19-2021

Hi @hisham683,

Regarding certificates, if it will be issued by your internal CA, I believe restriction of 397 days of validity does not apply. This restriction should be applicable only for public CAs. So, in theory, you could generate one certificate, signed by internal PKI, containing multiple SANs (of all of your PSNs) whic would last for e.g. 3 years. This certificate should be tied to EAP (and prefferably to Admin) role. This certificate would then need to be imported and replaced on each PSN individually.

For Guest access, most common solution is to use certificate signed by public CA, due to the nature of the setup (those should be Guest users, who do not trust your internal PKI). This certificate can also be wildcard, it that suits you better. Managing of this certificate is much easier, as you are uploading it only to the PAN, and it will get distributed across all PSNs automatically, once you tie it up with specific portal tag.

If I may ask, why do you want to have PSN on each location, ending up with so many PSNs? I'm not aware that someone had a need for 80 PSNs (I have a global customer, spreading across 3 continents, with 70k+ users running on 10 nodes total). With so many nodes, it will be quite pricey solution, both in terms of initial investment and later operations.

BR,

Milos

hslai · ‎08-21-2021

Adding to Milos's...

here is a guide on How To Implement Digital Certificates in ISE

hisham683 · ‎08-21-2021

I know 80 nodes is overkill but they're looking for maximum resiliency and making sure each site can still authenticate clients even when their SDWAN is down. Ofcourse Cisco will not object to selling so many!

I think I've resolved myself to this being a management headache we have to deal with and making sure each node has the certificate installed as needed. Thanks for your input!