Need suggestion for ISE distributed deployment model in two different data centers along with public...

vinodjad1234 · ‎01-18-2015

Hi Experts,

I am bit confused about ISE distributed deployment model .

I have two data centers one is DC & other one is as a DR I have requirement of guest access service implementation using CWA and get public certificate for HTTPS to avoid certificate error on client devices :

how do i deploy ISE persona for HA in this two data centers

After reading cisco doc , understood that we can have two PAN ( Primary in DC & Secondary in DR ) like wise for MnT (Monitoring will be as same as PAN ) however I can have 5 PSN running in secondary i.e. in DR ISE however I have confusion about HA for PSN .. since we have all PSN in secondary , it would not work for HA if it fails

Can anybody suggest me the best deployment solution for this scenario ?

Another doubt about public certificate :

Public Certificate: The ISE domain must be a registered or part of a registered domain name on the Internet. for that I need Domain name being used from customer .

Please do correct me if I am wrong about certificate understanding :

since Guest will be the outside users , we can not use certificate from internal CA , we need to get the certificate from service provider and install the same in both the ISE servers

Can anybody explain the procedure to opt the public certificate for HTTPS from service provider ? And how do i install it in both the ISE servers ?

nspasov · ‎01-18-2015

Hi there. Let me try answering your questions:

PSN HA: The PSNs are not configured as "primary" or "secondary" inside your ISE deployment. They are just PSN nodes as far as ISE is concerned. Instead, inside your NADs (In your case WLCs) you can specify which PSN is primary, which one is secondary, etc. You can accomplish this by:

1. Defining all PSN nodes as AAA radius servers inside the WLC

2. Then under the SSID > AAA Servers Tab, you can list the AAA servers in the order that you prefer. As a result, the WLC will always use the first server listed until that server fails/gets reloaded, etc.

3. As a result, you can have one WLC or SSID prefer PSN server A (located in primary DC) while a second WLC or SSID prefer PSN server B (located in backup DC)

Last but not the least, you could also place PSNs behind a load balancer and that way the traffic would be equally distributed between multiple PSNs. However, the PSN nodes must be Layer 2 adjacent, which is probably not the case if they are located in two different Data Centers

Certificates: Yes, you would want to get a public certificate to service the guest portal. Getting a public/well known certificate would ensure that most devices out there would trust the CA that signed your ISE certificate. For instance, VeriSign, GoDaddy, Entrust are some of the ones out there that would work just fine. On the other hand, if you use a certificate that was signed by your internal CA, then things would be fine for your internal endpoints that trust your internal CA but for any outsiders (Guests, contractors, etc) that do not trust and do not know who your internal CA is would get a certificate error when being redirected to the ISE guest portal. This in general is only a "cosmetic" issue and if the users click "continue" and add your CA as a trusted authority, the guest page would load and the session would work. However, most users out there would not feel safe to proceed and you will most likely get a lot of calls to your helpdesk :)

I hope this helps!

Thank you for rating helpful posts!

vinodjad1234 · ‎01-18-2015

Hi ,

Thank you so much for your reply ....

So as per your comments ,It would be difficuilt to achieve load balancing across two datacenter ISE servers .

since its not layer 2 adjacent (same subnet ) .

My scenario, I would able to configure primary and secondary for only Admin and monitoring nodes not the PSN ...right ?

I need not to configure anything for profiling service ...right ?

about certificate ?

pretty much clear however just want to understand the way provider delivers certificate to us ... Do they deliever Base-64 format or .Cert format file which can be directly imported to ISE box.

nspasov · ‎01-20-2015

That is correct, you can only put the PSN nodes behind a load balancer if they are L2 adjacent. If they are not then the PSNs would be acting in a active/standby fashion. Again, keep in mind that you can configure one controller to use PSN in Data Center A as primary and PSN in Data Center B as secondary. Then a second controller can be configured to use PSN in Data Center B as primary and PSN in Data Center A as secondary. That way you are doing some sort of a load sharing.

For profiling: You would have to be more specific on your question.

For Certificates: You should be able to request both DER and Base-64 from your provider. However, this doesn't matter as ISE would support both formats. The only thing you need to make sure is that you get all certificates individually and not in a "chain" format. So in most cases this would mean that you have three cert files (maybe four depending on the provider):

- One for the Root CA

- One for the issuing CA

- One for the ISE cert itself

You need to install the ISE cert and then import the root and intermediate/issuing CA into the trusted store.

I hope this clears things for you

Thank you for rating helpful posts!

Knutsen2004 · ‎02-11-2015

Hi guys and thanks for good information about this theme.

Im am setting up two ISE node primary and secondary and i was wondering about some related things about guest setup.

When we are running both nodes with the PSN how do we do the dns registration of the portal url ?

Do i have to have a uniqe url for each ISE or do i need to set up the DNS pointing to both of the ip addresses that is set up on the interface of the ise that is used for the guest portal.

And also a public cert on each ISE pointing to the CN ?

andrew.chappelle · ‎02-11-2015

Is it possible to split certificate functions?

ie: have the internal cert be used for .1X authentications - EAP is checked off and a public cert be used for guest portal - HTTPS is checked off

nspasov · ‎02-12-2015

Yes you can. I have done it many times where the Guest Portals/HTTPS service is attached to a publically signed certificate while the EAP based service is attached to a certificate that was signed by the local/internal CA.

I hope this helps!

Thank you for rating helpful posts!

andrew.chappelle · ‎02-12-2015

Thanks a lot Neno.

I figured it should work, but was worried there may be some function that might break if the uses were split between two different certs.

thanks again!

Andrew

nspasov · ‎02-12-2015

No problem! It is a valid question.

Glad I could help!

Thank you for rating helpful posts!

andrew.chappelle · ‎02-17-2015

Sorry Neno, just one last clarification on this;

The certificates, both public and private are the ones contained in the Local Certificate Store, and are bound to ISE using a csr-created certificate?

The CSR I generate, is it the same one for both?

thanks, sorry if a dumb question.

Andrew

nspasov · ‎02-18-2015

Hi Andrew-

Not a dumb question at all! You can generate the CSR using both the Internal ISE process/tool or an external tool such as OpenSSL. The former is easier and more user friendly while the later requires some basic Linux skills. In the past (ISE ver 1.1.x) I have always liked to use OpenSSL due to the lack of flexibility in ISE. However, in v1.2 and later, the internal ISE tool was greatly improved (allows wildcards, SAN fields, etc)

With all of that being said, if you chose to use the internal tool then you would have to generate a CSR for each request. This is because the CSR that you generate gets removed from the system once you bind it to the signed certificate. So in your situation you will have to generate the CSR twice. Please note though that you can only have one CSR at a time so you would:

1. Generate CSR

2. Export and have it it signed by the CA

3. Bind the signed cert with the CSR

4. Generate 2nd CSR

5. Repeat steps 2 and 3

On the other hand, if you choose to use OpenSSL, you can use the same CSR twice. Just make sure that you keep the private key safe! :)

I hope this helps!

Thank you for rating helpful posts!

nspasov · ‎02-12-2015

My answers below:

Q1:When we are running both nodes with the PSN how do we do the dns registration of the portal url ?

NS: The PSNs just need to be resolvable via DNS. You don't have to make the actual web portal resolvable via DNS

Q2: Do i have to have a uniqe url for each ISE or do i need to set up the DNS pointing to both of the ip addresses that is set up on the interface of the ise that is used for the guest portal.

NS: You just need to make sure that both ISE servers are in DNS for both the forward and the reverse lookup zones.

Q3: And also a public cert on each ISE pointing to the CN ?

NS: Not sure what you mean here but I will try to answer it based on my assumptions. Each ISE node will need to have a publically signed certificate. The cert can be a wildcard one or one dedicated per each node.

Thank you for rating helpful posts!

Knutsen2004 · ‎02-12-2015

Thanks Neno, i think i got this now :)

nspasov · ‎02-12-2015

No problem! Glad i could help! :)

Thank you for rating helpful posts!

Need suggestion for ISE distributed deployment model in two different data centers along with public certificate for HTTPS