08-30-2017 06:56 AM
Hi,
In a large distributed ISE deployment with dual PAN & MNTs running ISE 2.0 and two pxGrid nodes to be added, can one pxGrid certificate (CA signed) be shared across both pxGrid nodes for pxGrid usage (i.e. multi SAN certificate)? And does the shared certificate need to also include the PANs and MNTs in the SAN field as they also need to import the certificate according to How To: Configuring pxGrid in an ISE Distributed Environment ? The intention is to have one shared certificate per ISE 'usage' type...
Please note: Wildcard certificates are in use so adding pxGrid usage to the admin certificate mentioned in following guide is not an option Deploying Certificates with Cisco pxGrid - Using an external Certificate Authority (CA) with updates to Cisco ISE 2.0/2.…
Thanks,
Denis
Solved! Go to Solution.
08-30-2017 07:20 AM
I would suggest taking a look at Cisco Live session BRKSEC-3697 from Vegas 2017 available on ciscolive.com. It should include information on generation of pxGrid certs for distributed deployment by leveraging the CA server on ISE.
Also, provided there is trust, it is not necessary that every pxGrid client have there name in SAN. They should have the CA chain in their trust store to allow trust to the pxGrid cert.
/Craig
08-30-2017 07:20 AM
I would suggest taking a look at Cisco Live session BRKSEC-3697 from Vegas 2017 available on ciscolive.com. It should include information on generation of pxGrid certs for distributed deployment by leveraging the CA server on ISE.
Also, provided there is trust, it is not necessary that every pxGrid client have there name in SAN. They should have the CA chain in their trust store to allow trust to the pxGrid cert.
/Craig
09-04-2017 12:57 AM
Thanks for the response Craig.
I have looked through the Cisco Live session and from what I understand pxGrid certificates are needed on the pxGrid nodes, and from ISE 2.2+ pxGrid certificates will be needed on the MNTs also.
One of my original questions has to do with combining these certs into one multi-SAN cert rather than individual certs for operational efficiencies - is this a supported configuration?
Also, although not mentioned in the Cisco Live presentation, I have been advised that the PANs should also have pxGrid certificates - are you able to confirm this?
Thanks,
Denis
09-04-2017 03:15 AM
It is possible to use same cert across nodes but it raises the question of security. A more secure option would be to generate certs from ISE and all signed by same ISE Root. They will then have unique certs but all trust each other based on signing CA. All pxGrid clients have required certs from the beginning. This is not new. PAN is a publisher for endpoint, SGT, profiles and other topics. MnT is a publisher of session data. More recent versions do support username / password for trust, but not aware of any parties implementing that option yet.
/Craig
09-04-2017 04:50 AM
Thanks Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide