Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3648
Views
15
Helpful
10
Replies

Replacing ISE Admin cert on multi-node deployment

Go to solution
Arne Bier
VIP
VIP

‎01-06-2019 08:20 PM - edited ‎01-06-2019 08:20 PM

Hello

 

I don't have the time to test this myself, but has anyone got real world advice when replacing the Admin cert of a multi-node deployment?

 

The customer is running ISE 2.4 in a 6 node deployment on SNS appliances.

 

Currently the Admin cert is a self-signed wildcard cert.  This cert was installed on all secondary nodes prior to the nodes being registered to the PAN.

Customer now wishes to apply a different cert (e.g. public CA cert) to all the nodes used for Admin and possibly also EAP.

 

I have some concerns with this. 

  • The node host name domains will need to match the new Admin cert (at least in the SAN field, right?) - if customer has some internal domain like   net.local, then there will be no Public CA that can issue a cert that has this in the SAN field.  I suspect we'd have to re-configure all the "ip domain-name" commands in each node prior to even trying to import a public CA cert?
  • Let's say we have all the domain stuff out of the way, which node do we start with?  If we start with the PSN's, will it isolate the PSN from the PAN when installing the new Admin cert?  Is there an order in which this should be done?

I am pretty sure that changing the System cert for Admin will cause the application services to restart.  The outage is not an issue.  The main concern I have is that the ISE cube (cluster) will someone get messed up because of the changing of domains and the importing of certs.

 

any advice appreciated

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-06-2019 09:08 PM

Hi

 

For the EAP, you could have the possibility to create a new interface and an alias then your public cert will work.

However for the admin, it'll only be on the default interface and you have no choice to change the domain name.

 

Then you can import them node by node, i start myself from PSN and finish with PAN. Customers like simplicity and most of them generate 1 cert with multiple SAN and then import the same one on all node. Never had issues here.

 

Issues i had, were mostly after changing domain name. There were weird issues like AD sync/join not working as expected and needed to unlink and link it back sometimes. Also issues with internal CA, the biggest weird issues was that i had to disable, generate new certs for internal ca and re-enable it back (impact on all my byod users).

Sometimes i also had to deregister the node from the cluster and register it back after domain-name changed.

 

This doesn't mean it never work (most of the time it works good), after an automatic application restart, everything is back to normal. 

 

Anyway when you will do the command ip domain-name, a message will appear to tell you to de register your node from AD before proceeding. I'm not doing it everytime i do these changes because AD people aren't available/communicating with network guys :-)

 

When i do the domain name changes, i always start by PSN.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Arne Bier

‎01-07-2019 08:02 PM

Yes and you can mention that admin will be accessed from internal guy only that will have the internal root cert in their laptop trusted certificate store which means no need to change it :-)
Are these ise servers vm or appliances?
If VM, you can take a snapshot before proceeding.
What I did which ended smoothly and without issues is to have a maintenance window and alert that ISE will down during this maintenance. Then remove every node from the cluster, do all domain changes and build up the cluster. Obviously, this can be done in a non critical environment where downtime is acceptable.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎01-06-2019 09:08 PM

Hi

 

For the EAP, you could have the possibility to create a new interface and an alias then your public cert will work.

However for the admin, it'll only be on the default interface and you have no choice to change the domain name.

 

Then you can import them node by node, i start myself from PSN and finish with PAN. Customers like simplicity and most of them generate 1 cert with multiple SAN and then import the same one on all node. Never had issues here.

 

Issues i had, were mostly after changing domain name. There were weird issues like AD sync/join not working as expected and needed to unlink and link it back sometimes. Also issues with internal CA, the biggest weird issues was that i had to disable, generate new certs for internal ca and re-enable it back (impact on all my byod users).

Sometimes i also had to deregister the node from the cluster and register it back after domain-name changed.

 

This doesn't mean it never work (most of the time it works good), after an automatic application restart, everything is back to normal. 

 

Anyway when you will do the command ip domain-name, a message will appear to tell you to de register your node from AD before proceeding. I'm not doing it everytime i do these changes because AD people aren't available/communicating with network guys :-)

 

When i do the domain name changes, i always start by PSN.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
Arne Bier
VIP
VIP
In response to Francesco Molino

‎01-06-2019 09:17 PM

thanks @Francesco Molino - very useful advice for sure.

I will see whether I can convince them to keep the Admin system cert as is (there is no benefit to assigning that to a public CA cert!!).  The EAP cert can then be changed to use a public CA cert without rocking the boat.

 

thanks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Arne Bier

‎01-07-2019 08:02 PM

Yes and you can mention that admin will be accessed from internal guy only that will have the internal root cert in their laptop trusted certificate store which means no need to change it :-)
Are these ise servers vm or appliances?
If VM, you can take a snapshot before proceeding.
What I did which ended smoothly and without issues is to have a maintenance window and alert that ISE will down during this maintenance. Then remove every node from the cluster, do all domain changes and build up the cluster. Obviously, this can be done in a non critical environment where downtime is acceptable.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Francesco Molino

‎01-07-2019 10:01 PM

These are SNS servers.  I will fight to not have to change the Admin cert ;-)

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Francesco Molino

‎01-08-2019 10:15 AM

VM snapshots aren't supported though. Perhaps you mean shutdown the server and clone the VM (unsure if this works either)?
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Nadav

‎01-08-2019 10:17 AM

Yep not supported but it works, I did it several times to keep a fresh install.
Now yes, the safest way would be to shutdown it and backup the vm files.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
MatthewShaw4644
Level 1
Level 1
In response to Francesco Molino

‎02-10-2022 10:39 AM

the trick with changing the domain name of the cluster node is to deregister it from the domain - then DELETE the machine account in the domain - wait for replication to occur in AD (15 mins max) - THEN change the node domain-name and reregister the node to the domain.   It's that machine account in the domain that gets wonky - so just smoke the old machine account and create a new one with the proper domain. 

0 Helpful

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee

‎01-08-2019 12:49 PM

Assuming that you have sorted out domain issues means got the  cert from  publicCA. You can assig new cert in any order as long as Root, Intermediate and Issuing CA cert has been imported in PAN trusted store. It will propogate to all other ISE nodes trusted store. Now even if you take any node and assign this cert for admin and EAP .This node will restart it service but will join the cluster.

Go to solution
mmintz001
Level 1
Level 1
In response to Parag Mahajan

‎02-15-2019 06:56 AM

Are there any issues with using the system certificate for both Admin and EAP authentication? We do not practice this policy but wondered if it is done by others.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to mmintz001

‎02-15-2019 07:00 AM

It's not best practice, but it's possible and supported. Notice when you add a system cert that you can choose which roles it has per node.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents