Solved: Onboarding on a seperate cluster

steven.vandyk · ‎08-11-2017

Hi there

I have a customer with an ISE 2.0 cluster (2 nodes) running RADIUS services for wired and wireless.

Now they want wireless onboarding, and because of some certificate issues with 2.0, we have deployed a seperate 2.2 node for onboarding.

The onboarding itself works, however in the onboarding profile, I am pointing to the same SSID that the RADIUS users are using.

So this request arrives on the 2.0 cluster, and the client doesnt trust this server(s) (he got the certificate from the 2.2 cluster).

Any way to add the certificate of the 2.0 cluster in the onboarding? Or another way to achieve this (with RADIUS proxy for example)?

Thank you

Steven

Jason Kunst · ‎08-11-2017

No, the client has to trust the certificate of every radius server In the deployment

The recommendation is to install a well known certificate with wildcard in the san so once the client trusts one server in the deployment then they can subsequently trust any other servers in the deployment

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html#ID121

View solution in original post

Jason Kunst · ‎08-11-2017

No, the client has to trust the certificate of every radius server In the deployment

The recommendation is to install a well known certificate with wildcard in the san so once the client trusts one server in the deployment then they can subsequently trust any other servers in the deployment

http://www.networkworld.com/article/2225032/infrastructure-management/what-are-wildcard-certificates-and-how-do-i-use-them-with-ciscos-ise.html

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html#ID121