cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

460
Views
3
Helpful
8
Replies
dgaikwad
Contributor

ISE pxGrid and Certificates question

Hello All,

I have a few queries regarding integrating ISE with IPAM solution from Infoblox.

Since, certificates are pretty important to integrate ISE with other solutions using certificates.

I am going integrate the production instance of IPAM with my test instance of ISE here.

So, what is that, the certificates on IPAM are signed by Commodo, while certificates for ISE are signed by internal intermediate CA server.

Earlier, I had done integration with self-signed certificates, but again those were in test labs, for this one the case is a little different.

The question that I have now is that, if I import the Commodo root certificate and the IPAM application certificate to ISE trusted certificate store and vice versa for IPAM.

Will that still work to allow authentication between ISE pxGrid and IPAM?

Or do I need to have the certificate signed from the CA in order for this integration to work?

Any pointers or ideas?

1 ACCEPTED SOLUTION

Accepted Solutions

No under your pxGrid services in ISE you generate the cert/private key for Infoblox. A screen shot is attached.

If you are doing this in Chrome the pop-up to download the .zip file may not work. In the .zip file, when you get it, should be the Infoblox cert and private key in PEM format along with the ISE internal root cert. There will also be the root cert for the Admin GUI, but Infoblox shouldn’t need that from what I am reading.

View solution in original post

8 REPLIES 8
paul
Advocate

The certificate running the GUI has nothing to do with the certificate that will be used to join the pxGrid.  You should be running your pxGrid using the internal CA running on the ISE servers.  Then you issue a certificate/private key that will be used on Infoblox to join the grid.  You install that certificate/private key combination along with the ISE internal CA root cert into Infoblox when configuring the pxGrid connection.

If I get this correct, then this certificate here, that has only pxgird enabled for is the one that I need to export with the key to Infoblox?

certificate.jpg

Just doing the confirmation, since I am really not that good with certificates though….

Or do I need to export the following that has authentication and other enabled on it to Infoblox?

certificate.jpg

Thank you,

Dinesh

No under your pxGrid services in ISE you generate the cert/private key for Infoblox. A screen shot is attached.

If you are doing this in Chrome the pop-up to download the .zip file may not work. In the .zip file, when you get it, should be the Infoblox cert and private key in PEM format along with the ISE internal root cert. There will also be the root cert for the Admin GUI, but Infoblox shouldn’t need that from what I am reading.

View solution in original post

Well, this is new for me and never had used this feature before as well...

So, I see that I select Generate Single certificate without signing request

And here at the common name, do I need to enter the CN of the ISE server or the Infoblox server?

Further then import these certificates in Infoblox and it should be good to subscribe to the pxGrid service on ISE, right?

The common name can be whatever you want. If you want to put the FQDN of the Infoblox in there that is fine. You can use a generic CN like I showed in the screen shots. This is how you get a certificate/private key to join pxGrid.

Thank you for the quick reply, I will go ahead and try this out and update the thread with results!

There is again one query though, I see that the bundle has also created .key certificate.

I had never used such a kind of certificate before, if possible can you direct me how to use it while importing it in Infoblox?

You can’t use a certificate without a private key. I think the Infoblox wants the cert and key in the same file. Put them together in a file and import that.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel