01-12-2020 07:45 AM
Hi All,
I am currently planning an ISE distributed deployment that will consist of 2 x PANs, 2 x MNT nodes and 2 x PSN nodes. The FQDN for all nodes will be associated to our internal domain 'domain.local'
We want to use public CA signed certificates for EAP on the PSNs, however, I'm not sure if using an FQDN for the PSN nodes that uses an internal DNS domain name will cause any issues. When creating the CSR for EAP on the PSNs, can we change the CN/SAN entry to use a public domain whilst still keeping the ISE PSNs on the internal domain? Also is it possible to use a multi function certificate for the PSN (Admin, Eap, Portal) instead of a certificate for each function?
Thank you
Solved! Go to Solution.
01-13-2020 06:59 AM
01-12-2020 09:04 AM
01-12-2020 09:30 AM
Hi Damien,
Thanks for the response.
So if I place all of my ISE nodes on domain.com, can I still use internal CA signed certificates for the Admin function etc and then just use a public CA signed certificate for EAP/Portals on the PSNs?
Thank you
01-13-2020 06:59 AM
01-18-2020 12:56 PM
Hi Damien
Quick question. I have deployed ISE on our internal domain name as I wanted to test a few things before moving it to our public domain name as suggested.
When generating a CSR, I noticed that ISE automatically populates the CN with the FQDN of the host (using $FQDN$) which as you state, will be rejected by our public cert provider as the CN contains our internal domain. I also noticed that $FQDN$ can be removed in the CSR and a manual entry can be configured such as ise.company.com. I checked the generated CSR and it only contains the ise.company.com and not the internal domain name. Can this be used as an alternative to placing all of the ISE hosts on our public domain?
Hope that makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide