Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2126
Views
11
Helpful
4
Replies

pxGrid CA signed certificates in distributed deployment

Go to solution
dvan
Cisco Employee
Cisco Employee

‎08-30-2017 06:56 AM

Hi,

In a large distributed ISE deployment with dual PAN & MNTs running ISE 2.0 and two pxGrid nodes to be added, can one pxGrid certificate (CA signed) be shared across both pxGrid nodes for pxGrid usage (i.e. multi SAN certificate)?  And does the shared certificate need to also include the PANs and MNTs in the SAN field as they also need to import the certificate according to How To: Configuring pxGrid in an ISE Distributed Environment ?  The intention is to have one shared certificate per ISE 'usage' type...

Please note: Wildcard certificates are in use so adding pxGrid usage to the admin certificate mentioned in following guide is not an option Deploying Certificates with Cisco pxGrid - Using an external Certificate Authority (CA) with updates to Cisco ISE 2.0/2.…

Thanks,

Denis

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎08-30-2017 07:20 AM

I would suggest taking a look at Cisco Live session BRKSEC-3697 from Vegas 2017 available on ciscolive.com.  It should include information on generation of pxGrid certs for distributed deployment by leveraging the CA server on ISE.

Also, provided there is trust, it is not necessary that every pxGrid client have there name in SAN.  They should have the CA chain in their trust store to allow trust to the pxGrid cert.

/Craig

View solution in original post

4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎08-30-2017 07:20 AM

I would suggest taking a look at Cisco Live session BRKSEC-3697 from Vegas 2017 available on ciscolive.com.  It should include information on generation of pxGrid certs for distributed deployment by leveraging the CA server on ISE.

Also, provided there is trust, it is not necessary that every pxGrid client have there name in SAN.  They should have the CA chain in their trust store to allow trust to the pxGrid cert.

/Craig

Go to solution
dvan
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-04-2017 12:57 AM

Thanks for the response Craig.

I have looked through the Cisco Live session and from what I understand pxGrid certificates are needed on the pxGrid nodes, and from ISE 2.2+ pxGrid certificates will be needed on the MNTs also.

One of my original questions has to do with combining these certs into one multi-SAN cert rather than individual certs for operational efficiencies - is this a supported configuration?

Also, although not mentioned in the Cisco Live presentation, I have been advised that the PANs should also have pxGrid certificates - are you able to confirm this?

Thanks,

Denis

Go to solution
Craig Hyps
Level 10
Level 10
In response to dvan

‎09-04-2017 03:15 AM

It is possible to use same cert across nodes but it raises the question of security.  A more secure option would be to generate certs from ISE and all signed by same ISE Root.  They will then have unique certs but all trust each other based on signing CA.  All pxGrid clients have required certs from the beginning.  This is not new.  PAN is a publisher for endpoint, SGT, profiles and other topics.  MnT is a publisher of session data.  More recent versions do support username / password for trust, but not aware of any parties implementing that option yet.

/Craig

0 Helpful

Go to solution
dvan
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-04-2017 04:50 AM

Thanks Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents