01-18-2024 11:04 AM
Hello All,
We implemented ISE almost a year ago, and our two ISE servers have certs from a 3rd party (Godaddy) that are expiring soon. Under Administration/System/System Certificates, under Used By for the certificates it shows:
Admin, EAP Authentication, RADIUS, DTLS, pxGrid, Portal, ISE Messaging Service
We're using ISE for switch port authentication and have 802.1x configured in the Windows clients' network settings. When we replace these certificates, will our clients get any kind of warning or prompt that we need to be aware of?
Thanks
Solved! Go to Solution.
01-18-2024 11:12 AM
@MauryJ as the admin certificate is being replaced this will force the ISE services to restart (10-15 mins approx) on each node. You should make sure you do this in a change window, ideally out of hours to minimise disruption. In regard to the client devices as long as they trust the root certificate that signed the EAP certificate they should not notice anything. If you are using a different public CA to sign this certificate you may need to check the client devices.
You should ensure the NADs (switches) are configured to use both ISE PSN nodes, so whilst one node services are restarting any new authentications would go to the other ISE PSN node.
01-18-2024 11:12 AM
@MauryJ as the admin certificate is being replaced this will force the ISE services to restart (10-15 mins approx) on each node. You should make sure you do this in a change window, ideally out of hours to minimise disruption. In regard to the client devices as long as they trust the root certificate that signed the EAP certificate they should not notice anything. If you are using a different public CA to sign this certificate you may need to check the client devices.
You should ensure the NADs (switches) are configured to use both ISE PSN nodes, so whilst one node services are restarting any new authentications would go to the other ISE PSN node.
01-18-2024 11:15 AM
Good to know, Thank You very much Rob!
01-18-2024 11:34 AM
@MauryJ wrote:Hello All,
We implemented ISE almost a year ago, and our two ISE servers have certs from a 3rd party (Godaddy) that are expiring soon. Under Administration/System/System Certificates, under Used By for the certificates it shows:
Admin, EAP Authentication, RADIUS, DTLS, pxGrid, Portal, ISE Messaging Service
We're using ISE for switch port authentication and have 802.1x configured in the Windows clients' network settings. When we replace these certificates, will our clients get any kind of warning or prompt that we need to be aware of?
Thanks
When you replace the certificates on your ISE (Identity Services Engine) servers, the Windows clients using 802.1x for switch port authentication may experience certificate-related issues. Here are some considerations:
Certificate Renewal:
Certificate Replacement with Different CA:
Client Behavior:
Certificate Chain:
Advance Notification:
Monitoring Certificate Expiry:
Testing:
Logging and Troubleshooting:
Remember that the exact user experience may vary based on the Windows version, network configuration, and how certificate validation is implemented in your specific environment. Always follow best practices for certificate management to ensure a secure and seamless transition.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide