Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
5
Helpful
3
Replies

ISE Root CA/LDAP/Policy Set Query

colossus1611
Level 1
Level 1

‎01-24-2020 12:08 AM

Hi All,

 

Have a seemingly simple issue that I am unable to get my head around with little ISE experience under my belt. Hoping someone can help me understand the changes in configuration I need for this.

 

Essentially, we have an existing customer setup with ISE authentication with Trusted Certificates loaded. The trusted certificate is due to expire in 3 days of time and needs replacing. I have uploaded the new CA certificates provided to ISE.

 

The customer wants to test the new certificate in parallel with the old certificate still there. I guess this means I need to create a a new Authentication Policy set for the new set of CA certificates, but correct me if that's wrong.

 

What confuses me further from here is that there is an LDAP server binding to these certificates. How should I go about binding it to the new and the old certicates at the same time while customer wants to test it?

 

Thank you.

 

 

0 Helpful
3 Replies 3

Colby LeMaire
VIP Alumni
VIP Alumni

‎01-24-2020 08:14 AM

You do not need to adjust your authentication policies or anything to use both the old and new CA certificates.  Just make sure the new CA certificates that you uploaded to ISE have the checkbox selected for "Trust for client authentication".  When ISE is verifying a certificate for authentication, it just checks all of the trusted CA certificates in its store with that option checked.

For the LDAP binding, there really is no way to use both at the same time.  You would have to change the CA certificate in the LDAP configuration page, test to make sure it works, and if it worked, leave it.  If not, change it back.

colossus1611
Level 1
Level 1
In response to Colby LeMaire

‎01-24-2020 05:29 PM

Thanks Colby. The Trust for Client Authentication tick box was indeed left unticked. I have fixed that bit now. However, I am still getting an LDAP binding error when I try same LDAP server with new Root CA. Could it be an issue with LDAP server itself? How do I troubleshoot that? The certificate expires in couple of days now so really concerned how I can put it together in time.

 

Also for the Authentication Policy, I understand you are suggesting we should not need a new Policy, but if I do not create a new Authentication Policy, how will it refer to the new Certificate? What is the purpose of Authentication Policy then if the new certificate does not need to be referred there every time a certificate expires and is renewed with a new one?

 

 

 

 

0 Helpful

colossus1611
Level 1
Level 1

‎01-28-2020 01:52 PM

Update - the problem has been resolved. We had a couple of issues. Firstly, a new policy had to be created however weirdly enough the certificate Issued to field did not match even though we selected certificate from Conditions. We then had to disable the Binary comparison to make it work further. 

0 Helpful
Customers Also Viewed These Support Documents