cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1085
Views
0
Helpful
10
Replies
Highlighted
Contributor

procedure to join ISE appliance become inline posture node

Hi all,

I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.

For the preparation on line posture node, what shoud i do on it?

My question is:

01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?

02. Before i regieter, what is the deplotment nodes i should select for inline posture node unit?

provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.

Thanks

Noel

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Noel,

The scope of my comment was based on the ISE deployment, the VPN and Ipep nodes will use radius. The ISE connection from admin node to IPEP and vice versa will need proper certs in place, since they use ssl to authenticate and encrypt their data.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

10 REPLIES 10
Highlighted
Advocate

When you register the node it will come up in Maintenance mode, you can choose your mode settings through the admin interface. Keep in mind that when the IPEP node boots GUI access is gone and can only administered through the admin node or the cli. So dont let that freak you out.

Also for the certs make sure that BOTH nodes have the EKU for client and server authentication. I ran into this issue where I assumed that only the inline node needed these keys but I finally learned how to slow down and read and found that the admin node needed also.

Thanks,

Tarik Admani
*Please rate helpful posts*

Highlighted

Hi Tarik

Thanks for reply.

There's Something would like to have Sir to clarify. Not really understand on this statement:

"Also for the certs make sure that BOTH nodes have the EKU for client and server authentication."

Question1,

Correct me if am wrong,  Is it what you mean the cert enroll and install on the SSL client and server certificate, these certificate also need to be enroll, install so that it is trusted on both iPEP and admin node?

In this sense, server is it the VPN gateway where the client terminate at?

Situation: 

Say my infrastructure, i got these units sitting inline, flow start with SSL VPN connection on client --> Internet --> [ASA (VPN)] --> [iPEP] --> [Clavister Firewall (Internal firewall)] --> [PSN]

question 2.1

So meaning to say, for SSL VPN authenticaiton, in order for client to reach the VPN gateway, both end need to be trusted. In this case, if the ASA (VPN) using self-signed certificate as identity certificate, would it still being trusted by iPEP and PSN?

what aciton need to be done in order all devices trusted each other?

question 2.2

Is it recomended all mentioned devices create the CSR to let the root CA signed and import the cert again then they all have the identitcal issuer and trusted each other?

Look like i need to have a good design on my PKI part.

thanks

Noel

Highlighted

Noel,

The scope of my comment was based on the ISE deployment, the VPN and Ipep nodes will use radius. The ISE connection from admin node to IPEP and vice versa will need proper certs in place, since they use ssl to authenticate and encrypt their data.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted

Hi Tarik

well i get what you say.

So is it recomend to make all devices generate CSR and the root CA signed, all have the trusted issuer.?

No self-signed in play?

Thanks

Noel

Highlighted

That is correct, the self signed certificates do not have the correct EKU OIDs set. So you can use Windows as your CA server and it is easy to use.

You can find plenty of configuratoin guides online or even in the technet forums.

thanks

Tarik Admani
*Please rate helpful posts*

Highlighted

Hi tarik,

I would like thanks for you reply and support on this thread.

thanks again

Noel

Highlighted

Hello. I have a distributed deployment with two admins, two iPEPs and two policy services node.

What I understand is that the certificates for BOTH iPEPs and both admins will need the EKU for client and server authentication. Is that right ?

What about the policy services nodes ? the fact that the admin has EKU for client and server authentication will affect somehow the certificates of the policy services node ?

Highlighted

The following combinations are recommended for the Administration certificate:

–Both EKU attributes should be disabled, if both EKU attributes are disabled in the Inline Posture certificate, or both EKU attributes should be enabled, if the server attribute is enabled in the Inline Posture certificate.

–Both Netscape Cert Type attributes should be disabled, or both should be enabled.

The following combinations are recommended for the Inline Posture certificate:

–Both EKU attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.

–Both Netscape Cert Type attributes should be disabled, or both should be enabled, or the server attribute alone should be enabled.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_ipep_deploy.html#wp1110248

Jatin Katyal


- Do rate helpful posts -

~Jatin
Highlighted

yes I know that.

My question is when we have both IPEPs and PSNs in the same deployment.

Admin will have both EKU attributes . Does it affect the certificates of the PSNs ? the PSN will also need both EKU attributes because of the admin? or not ?

Highlighted

Eduardo,

You do no need to modfiy the eku for the psn certs. There is no ssl communication between the psn and the ipn.

Thanks,

Tarik Admani
*Please rate helpful posts*

Content for Community-Ad