09-12-2018 05:21 PM
So the ISE Admin cert seems to map to port 80, 443, and 9060 for the ERS services. The portals are customizable (port and certificate group).
Question:
Is there a way for the ERS/9060 to be mapped to a certificate other than the Admin certificate?
Solved! Go to Solution.
09-12-2018 07:55 PM
09-12-2018 08:41 PM
09-12-2018 06:58 PM
I don't believe there is a way to change the ERS port to use anything other than the admin cert. Why would the cert matter for your ERS applications? Presumably you are writing the applications and can accept whatever cert ISE uses.
09-12-2018 08:20 PM
The situation is: This is an off the shelf application (TractionGuest) that, according to the manufacturer, cannot accept the import of additional Root/Intermediate CAs.
The proposed solution is to stand up a new ISE node, sync it with the current deployment, then make it Primary Admin and build it using more a friendly name and cert to accommodate this one application. Doing that is preferred over changing ISE names and certs on the existing nodes, which will impact the current user base.
I wanted to be sure there was no super secret way of using something other than the Admin cert for ERS. Thanks for the confirmation.
09-12-2018 08:41 PM
09-12-2018 08:47 PM - edited 09-12-2018 08:49 PM
Admin cert has to match the ISE name.
EAP cert has to match the ISE name.
Currenty, ISE is called XYZ.customername.local, with a cert from a local CA.
To get a 3rd party cert for Admin, the ISE name would have to change to XYZ.customername.com. Third parties don't issue *.local certs, for obvious reasons. If I change the ISE name to XYZ.customername.com, I also have to change the EAP cert to include XYZ.customername.com. If I push a new EAP cert out, that impacts the clients.
09-12-2018 08:49 PM
09-12-2018 08:50 PM - edited 09-12-2018 08:52 PM
I disagree. If the EAP cert doesn't match the ISE name the EAP client will reject it, I've reproduced this in a lab many times. Right now the customer uses 2 all one one nodes, both A and P nodes combined. So, it's easy enough to build a separate stand alone A node and the EAP cert wouldn't even be used.
But I do agree, this application is suspect, but I have no say in the customer using it.
09-12-2018 08:54 PM
That is not true on the EAP cert at all. That is a misconfiguration on the client's server validtion. I have a 18 node deployment with 10 RADIUS PSNs and the EAP cert is radius.mycompany.com. Works perfectly fine.
09-12-2018 08:56 PM - edited 09-12-2018 09:00 PM
What are your ISE names? I'll give it a try in a lab, I've tried this in the past and not had any luck with it, but it's been a while...
09-12-2018 09:01 PM
09-12-2018 09:05 PM
That could be part of the issue though, is your domains at least match.
radius.mycompany.com
with
ise1.mycompany.com
ise2.mccompany.com
etc.
My case is different, in that my cert would need to be:
radius.mycompany.com
with ISE names
ise1.mycompany.local
ise2.mycompany.local
But it's certainly worth trying it again in a lab.
Thanks for the heads up.
09-12-2018 09:16 PM
09-12-2018 09:37 PM
Thanks, I'll give it a try. Appreciate the assistance.
I will follow up with 2 comments though, while I've got my soapbox handy:
1) Kind of scary if there are no host checks at all with 802.1X... That means a hacker that can nab any private key for any trusted 3rd party cert (and the cert) for a given company can stand up a rouge AP and Radius with that cert. If the WiFi client machine's WiFi profile isn't locked down to the 1 and only 1 Trusted CA it SHOULD be trusting (and an internal one...), Clients won't have any CRL or hostname or anything to check to make sure the presenter of that cert matches the cert, just that the cert itself legit, and can try to join and start sending creds--PEAP hashes or worse EAP-GTC clear text passwords... Yes, Private Keys should be guarded with our lives, but we know they often aren't...
2) Would still be nice to be able to select the ERS cert. It runs a different port, so it would be nice to be able to re-map it, like we can do with portals groups mapped to different ports.
I liked it better when I knew I couldn't get the name mismatch to work, you burst my safe-space bubble. ;)
09-12-2018 07:55 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide