Re: ISE guest portal certficate query - Page 2

Brett Verney · ‎12-17-2015

Hi all,

I have just rolled out ISE 2.0 in a distributed deployment with 2 nodes for a guest wireless network utilising the Sponsor Portal. I am about to generate a CSR for the client's public CA to sign and I want to use a single certificate for both nodes, however the client does not permit wildcard certificates. I believe ISE 2.0 requires a wildcard entry in the SAN field to deploy to both nodes, otherwise two CSRs are required. Is there any way around this? Two certs with multiple SAN entries can get pretty expensive.

Can I use a tool like OpenSSL to generate a single CSR and put both FQDNs in the SAN field? Will ISE allow me to import the one certificate to both nodes and assign to the 'Portal' function?

The environment contains the following:

ISE1.localdomain (primary admin, secondary monitoring, PSN)

ISE2.localdomain (secondary admin, primary monitoring, PSN)

guestportal.publicdomain (guest portal URL that clients are redirected to)

.

Is the CSR below correct for this deployment?

CN=ISE1.localdomain

SAN

DNS = ISE1.localdomain

DNS = ISE2.localdomain

DNS = guestportal.publicdomain

.

Unfortunately I need to get this right before the CSR is sent to the CA, so if somebody could help confirm all this it would be greatly appreciated!

-Brett

Greg Gibbs · ‎03-03-2020

This is an very vague and open-ended question and there are multiple variables to an ISE Guest design. I would suggest reviewing the following documents to get an understanding of the concepts and flows and post a new question on the community (rather than trying to resurrect one that is several years old) for any specific questions.

ISE Guest Access Prescriptive Deployment Guide

BRKSEC-3699: Designing ISE for Scale & High Availability - 2018 Orlando (Session Reference deck)

BRKSEC-3697: Advanced ISE Services, Tips and Tricks - 2018 Orlando (Session Reference)

Cheers,

Greg