10-18-2012 05:33 AM - edited 03-10-2019 07:41 PM
Hi all,
I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.
For the preparation on line posture node, what shoud i do on it?
My question is:
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
02. Before i regieter, what is the deplotment nodes i should select for inline posture node unit?
provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.
Thanks
Noel
Solved! Go to Solution.
10-18-2012 08:23 PM
Noel,
The scope of my comment was based on the ISE deployment, the VPN and Ipep nodes will use radius. The ISE connection from admin node to IPEP and vice versa will need proper certs in place, since they use ssl to authenticate and encrypt their data.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-18-2012 08:04 AM
When you register the node it will come up in Maintenance mode, you can choose your mode settings through the admin interface. Keep in mind that when the IPEP node boots GUI access is gone and can only administered through the admin node or the cli. So dont let that freak you out.
Also for the certs make sure that BOTH nodes have the EKU for client and server authentication. I ran into this issue where I assumed that only the inline node needed these keys but I finally learned how to slow down and read and found that the admin node needed also.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-18-2012 08:20 PM
Hi Tarik
Thanks for reply.
There's Something would like to have Sir to clarify. Not really understand on this statement:
"Also for the certs make sure that BOTH nodes have the EKU for client and server authentication."
Question1,
Correct me if am wrong, Is it what you mean the cert enroll and install on the SSL client and server certificate, these certificate also need to be enroll, install so that it is trusted on both iPEP and admin node?
In this sense, server is it the VPN gateway where the client terminate at?
Situation:
Say my infrastructure, i got these units sitting inline, flow start with SSL VPN connection on client --> Internet --> [ASA (VPN)] --> [iPEP] --> [Clavister Firewall (Internal firewall)] --> [PSN]
question 2.1
So meaning to say, for SSL VPN authenticaiton, in order for client to reach the VPN gateway, both end need to be trusted. In this case, if the ASA (VPN) using self-signed certificate as identity certificate, would it still being trusted by iPEP and PSN?
what aciton need to be done in order all devices trusted each other?
question 2.2
Is it recomended all mentioned devices create the CSR to let the root CA signed and import the cert again then they all have the identitcal issuer and trusted each other?
Look like i need to have a good design on my PKI part.
thanks
Noel
10-18-2012 08:23 PM
Noel,
The scope of my comment was based on the ISE deployment, the VPN and Ipep nodes will use radius. The ISE connection from admin node to IPEP and vice versa will need proper certs in place, since they use ssl to authenticate and encrypt their data.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-18-2012 08:51 PM
Hi Tarik
well i get what you say.
So is it recomend to make all devices generate CSR and the root CA signed, all have the trusted issuer.?
No self-signed in play?
Thanks
Noel
10-18-2012 09:42 PM
That is correct, the self signed certificates do not have the correct EKU OIDs set. So you can use Windows as your CA server and it is easy to use.
You can find plenty of configuratoin guides online or even in the technet forums.
thanks
Tarik Admani
*Please rate helpful posts*
10-19-2012 01:37 AM
Hi tarik,
I would like thanks for you reply and support on this thread.
thanks again
Noel
05-13-2013 01:41 PM
Hello. I have a distributed deployment with two admins, two iPEPs and two policy services node.
What I understand is that the certificates for BOTH iPEPs and both admins will need the EKU for client and server authentication. Is that right ?
What about the policy services nodes ? the fact that the admin has EKU for client and server authentication will affect somehow the certificates of the policy services node ?
05-13-2013 01:53 PM
The following combinations are recommended for the Administration certificate:
–Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Posture certificate.
–Both Netscape Cert Type attributes should be disabled, or both should be enabled.
The following combinations are recommended for the Inline Posture certificate:
–Both EKU attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.
–Both Netscape Cert Type attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html#wp1110248
Jatin Katyal
- Do rate helpful posts -
05-13-2013 02:11 PM
yes I know that.
My question is when we have both IPEPs and PSNs in the same deployment.
Admin will have both EKU attributes . Does it affect the certificates of the PSNs ? the PSN will also need both EKU attributes because of the admin? or not ?
05-13-2013 07:30 PM
Eduardo,
You do no need to modfiy the eku for the psn certs. There is no ssl communication between the psn and the ipn.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide