Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1261
Views
5
Helpful
4
Replies

ISE Distributed Deployment DNS domains and certificates

Go to solution
dm2020
Level 1
Level 1

‎01-12-2020 07:45 AM

Hi All,

 

I am currently planning an ISE distributed deployment that will consist of 2 x PANs, 2 x MNT nodes and 2 x PSN nodes. The FQDN for all nodes will be associated to our internal domain 'domain.local'

 

We want to use public CA signed certificates for EAP on the PSNs, however, I'm not sure if using an FQDN for the PSN nodes that uses an internal DNS domain name will cause any issues. When creating the CSR for EAP on the PSNs, can we change the CN/SAN entry to use a public domain whilst still keeping the ISE PSNs on the internal domain? Also is it possible to use a multi function certificate for the PSN (Admin, Eap, Portal) instead of a certificate for each function?


Thank you

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dm2020

‎01-13-2020 06:59 AM

Yes, as long as you have the DNS zones created for ISE to resolve A and PTR records. The domain.com has to resolve in other words, and this is often done on the same DNS server that is hosting the domain.local domain but doesn't necessarily have to be.

When endpoints get the CWA redirect, they will also have to be able to resolve domain.com to load the guest portal.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎01-12-2020 09:04 AM

The fqdn of the nodes has to be found within the SANs of the cert. The problem you will face is that no reputable public CA will sign a cert with a .local domain.

Using an internal issued local tld cert is no issue for eap, you can get your managed endpoints to trust it, but it will be an issue for any guest deployment.

I would put ise on another DNS domain the company owns. You can still join ISR to the .local AD and authenticate endpoints, it would be easier.

Go to solution
dm2020
Level 1
Level 1
In response to Damien Miller

‎01-12-2020 09:30 AM

Hi Damien,

 

Thanks for the response.

 

So if I place all of my ISE nodes on domain.com, can I still use internal CA signed certificates for the Admin function etc and then just use a public CA signed certificate for EAP/Portals on the PSNs?

 

Thank you

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dm2020

‎01-13-2020 06:59 AM

Yes, as long as you have the DNS zones created for ISE to resolve A and PTR records. The domain.com has to resolve in other words, and this is often done on the same DNS server that is hosting the domain.local domain but doesn't necessarily have to be.

When endpoints get the CWA redirect, they will also have to be able to resolve domain.com to load the guest portal.
0 Helpful

Go to solution
dm2020
Level 1
Level 1
In response to Damien Miller

‎01-18-2020 12:56 PM

Hi Damien

 

Quick question. I have deployed ISE on our internal domain name as I wanted to test a few things before moving it to our public domain name as suggested.

 

When generating a CSR, I noticed that ISE automatically populates the CN with the FQDN of the host (using $FQDN$) which as you state, will be rejected by our public cert provider as the CN contains our internal domain. I also noticed that $FQDN$ can be removed in the CSR and a manual entry can be configured such as ise.company.com. I checked the generated CSR and it only contains the ise.company.com and not the internal domain name. Can this be used as an alternative to placing all of the ISE hosts on our public domain?

 

Hope that makes sense.

0 Helpful
Customers Also Viewed These Support Documents