Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
4
Replies

ISE reboot for certs

MonkeyBear007
Level 1
Level 1

‎11-18-2024 09:39 AM - edited ‎11-18-2024 09:43 AM

Yes we are using old school ISE 2.4 but it's what i have to deal with
We have ISE 1 PAN Primary 192.168.1.10 running 2.4 - Admin, Monitor
             ISE 1                      192.168.1.20 running 2.4 just Policy

We need to add the second ISE which has not be sync for over 2 years
                                            ISE 2 Admin, Monitor  192.168.2.10
                                            ISE 2  policy                192.168.2.20

They have not been sync for two years and I'm ready to update the certs for second ISE 2 admin/ monitor server and ISE policy server
When i click on Muil-use  for admin , EAP and portal it say  it need to reboot the ISE Servers but It doesn't reboot the primary ISE 1 but only affects ISE 2 for each server i update?
Since they have sync for long time is there special commands I need to run or just use the GUI to sync the two ISE 1 and ISE 2

0 Helpful
4 Replies 4

MonkeyBear007
Level 1
Level 1

‎11-18-2024 10:05 AM

I notice that Subject Alternative Names doesn't have all the ISE 

ISE 1 server admin, Monitor and ISE 1 policy server  doesn't have ISE 2 admin, Monitor server and ISE 2 polcy SERVER
I'm thinking that Failover will be a problem since they don't match?
Can't open up support because out of support and end of life

0 Helpful

Arne Bier
VIP
VIP
In response to MonkeyBear007

‎11-18-2024 01:32 PM

You have not said whether you have a PKI or not. I assume you must, because you mentioned EAP. Therefore, if you have a PKI infrastructure (e.g. Windows CA server) then my recommended approach is as follows - let's assume you have a Root CA, and one or more Issuing CAs:

  1. Import the PKI Root CA and Issuing CA cert(s) into ISE in the Trusted Certs on every ISE node - tick the first two boxes 
  2. Create a CSR for each ISE node - one by one - tick boxes for Admin and EAP only - in the SAN field, add a DNS entry with the FQDN of that specific ISE node (e.g. ise01.mycomplany.local) - the SAN is not used by supplicants, but it's used by web browsers, when you browse to that ISE node's GUI.
  3. Submit those CSRs to your PKI and have it signed - e.g. a 3 year web server cert (using the Windows CA web server template) - PKI signed certs are not restricted to using 398day certs - your browser won't complain. You cyber security might, but that's a whole other discussion
  4. When you bind that cert back to each ISE node, the ISE node will restart its application services. This is because the Admin cert requires an application restart
  5. !! Avoid exporting ISE self-generated certs and importing them into other ISE nodes !! - use a PKI. If you don't have Windows CA, then at least install a tool like XCA and do the job with that - it's excellent.

 

0 Helpful

Dustin Anderson
VIP Alumni
VIP Alumni

‎11-18-2024 02:26 PM

Certs are unit specific, so if you change it on the second node, only the second note reboots for the cert to change. This is good as your whole system will not go offline for a cert change. Downside is you need to load the cert for each admin node.

0 Helpful
Customers Also Viewed These Support Documents