02-25-2016 01:58 PM
Hi all,
We are planning a entirely new ISE 2.0 installation and I´m looking into certificate options for the deployment.
The customer needs employee devices authenticated with eap-tls - and they have a running Microsoft PKI infrastructure they would like to reuse. The have certificates deployed to all corporate devices - with certs from their internal PKI infrastructure - deployed through GPO.
Besides that - they would like to use guest services - both wired and wireless and to some extend BYOD.
I have been looking at :
BRKSEC-3699 - Advanced - Designing ISE for Scale & High Availability (2016 Berlin) and
BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan)
But - I still need to have a best practise conclusion ..
I would appreciate any input on the solutions below :
A:
Use internal CA to deploy certificates on ISE nodes (both adm, mnt and psn) with DNS names in local DNS zone (company.local)
Use a wildcard cert signed by a public CA for guest and sponsor portals (DNS name in public DNS zone - eg. company.com)
If I understand it right - we should make sure all PSN nodes names (or a wildcard prefix) is in the SAN part of the certificate on all ISE nodes. Is that right ?
B:
Use a wildcard cert signed by a public CA for all nodes and guess/sponsor services - with DNS in local DNS zone (company.local)
Any other model that fit better or input on above solutions will be of great value to me/us.
Best regards
Tue Noergaard
Consulting Systems Engineer
Cisco
Solved! Go to Solution.
02-25-2016 06:54 PM
Please take a look of this how-to guide — HowTo: Implement Cisco ISE and Server Side Certificates
Both your A and B have a bit of problems.
In A, ISE internal CA does not issue certificates for ISE nodes, at least not in the current shipping ISE releases. Are you referring to the self-signed certificates, then? Usually, our customers have internal PKI (e.g. Microsoft CA services) to sign certificates for internal web servers.
In B, CA/Browser Forum's Guidance on Internal Names says public CAs might not sign certificates with .local domains. Thus, we need a regular top-level domain for the end-user facing portals, such as guests or sponsors.
02-25-2016 06:54 PM
Please take a look of this how-to guide — HowTo: Implement Cisco ISE and Server Side Certificates
Both your A and B have a bit of problems.
In A, ISE internal CA does not issue certificates for ISE nodes, at least not in the current shipping ISE releases. Are you referring to the self-signed certificates, then? Usually, our customers have internal PKI (e.g. Microsoft CA services) to sign certificates for internal web servers.
In B, CA/Browser Forum's Guidance on Internal Names says public CAs might not sign certificates with .local domains. Thus, we need a regular top-level domain for the end-user facing portals, such as guests or sponsors.
02-25-2016 11:22 PM
Hi
Just to elaborate :
Solution A would be using their internal Microsoft PKI for the ISE certificates and not self signed certs.
Would that complete the A solution ?
Solution B could be adjusted to :
Use a wildcard cert signed by a public CA for all nodes and guess/sponsor services - with DNS in external DNS zone (company.com)
The customer has the external ZONE accessible from inside and outside.
Any comments ?
Best regards
Tue
02-26-2016 12:46 PM
After your adjustments, A and B are looking the same to me. Am I missing anything?
If the deployment uses ISE client provisioning, posture, or BYOD on-boarding, please note that TCP 8905 is using the admin certificates. That should not be a problem on corporate owned devices, which most likely have the root certificate of internal Microsoft PKI installed and trusted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide