cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

157
Views
5
Helpful
3
Replies
Beginner

ISE Root CA/LDAP/Policy Set Query

Hi All,

 

Have a seemingly simple issue that I am unable to get my head around with little ISE experience under my belt. Hoping someone can help me understand the changes in configuration I need for this.

 

Essentially, we have an existing customer setup with ISE authentication with Trusted Certificates loaded. The trusted certificate is due to expire in 3 days of time and needs replacing. I have uploaded the new CA certificates provided to ISE.

 

The customer wants to test the new certificate in parallel with the old certificate still there. I guess this means I need to create a a new Authentication Policy set for the new set of CA certificates, but correct me if that's wrong.

 

What confuses me further from here is that there is an LDAP server binding to these certificates. How should I go about binding it to the new and the old certicates at the same time while customer wants to test it?

 

Thank you.

 

 

3 REPLIES 3
Highlighted
Rising star

Re: ISE Root CA/LDAP/Policy Set Query

You do not need to adjust your authentication policies or anything to use both the old and new CA certificates.  Just make sure the new CA certificates that you uploaded to ISE have the checkbox selected for "Trust for client authentication".  When ISE is verifying a certificate for authentication, it just checks all of the trusted CA certificates in its store with that option checked.

For the LDAP binding, there really is no way to use both at the same time.  You would have to change the CA certificate in the LDAP configuration page, test to make sure it works, and if it worked, leave it.  If not, change it back.

Highlighted
Beginner

Re: ISE Root CA/LDAP/Policy Set Query

Thanks Colby. The Trust for Client Authentication tick box was indeed left unticked. I have fixed that bit now. However, I am still getting an LDAP binding error when I try same LDAP server with new Root CA. Could it be an issue with LDAP server itself? How do I troubleshoot that? The certificate expires in couple of days now so really concerned how I can put it together in time.

 

Also for the Authentication Policy, I understand you are suggesting we should not need a new Policy, but if I do not create a new Authentication Policy, how will it refer to the new Certificate? What is the purpose of Authentication Policy then if the new certificate does not need to be referred there every time a certificate expires and is renewed with a new one?

 

 

 

 

Highlighted
Beginner

Re: ISE Root CA/LDAP/Policy Set Query

Update - the problem has been resolved. We had a couple of issues. Firstly, a new policy had to be created however weirdly enough the certificate Issued to field did not match even though we selected certificate from Conditions. We then had to disable the Binary comparison to make it work further.