Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
2
Replies

Use Same Certificate for ISE features

Ahmed.Y.Eissa
Level 1
Level 1

‎02-21-2018 03:30 AM - edited ‎02-21-2020 10:46 AM

My deployment is the smallest deployment which i have two nodes active/standby and each node works within all features (PAN, PSN, MNT and Pxgrid).

 

Within deployment of ISE, my customer don't have an Active directory or a PKI, so we have to request a public certificate within below name to be deployed within all nodes to support Admin, EAP-TLS, Guest and BYOD.

 

ISE02.xxx.com

ISE01.xxx.com

Guest.xxx.com

Sponsor.xxx.com

Mydevices.xxx.com

 

I have several questions:

  1. does it is mandatory to create CSR from each node , in this case i will have two CSR need to be issued from Public CA?
  2. it is applicable to ask public certificate with multi DNS names and import it back to all nodes? or should i stick to number 1?
  3. what type of certificate should i ask for ? i think it should includes client and server authentication EKUs?
  4. within BYOD , i think it is mandatory to create CSR from ISE and issue it from Public CA?
  5. for Pxgrid, i will do it with self-signed certificate to save cost as i have addiotnal nodes of Firepower needed to be integrated?
Labels:
0 Helpful
2 Replies 2

Octavian Szolga
Level 4
Level 4

‎02-21-2018 07:26 AM

Hi Ahmed,

 

You can go for option1, but it will cost you more.

I would create CSRs with multiple DNS names (SAN).It's much more easy.
For the pxGrid part I advise you to use ISE CA certs.

ISE server/system certs would only need a server authentication EKU. (pxGrid would need client auth EKU as well)

 

 

Search for Craig Hyps or Aaron Woland presentations @CiscoLive and you'll find some useful info/tips for ISE certs.

 

PS:

Still, it's not that difficult to setup up an MS server for cert services. You can quickly configure it, sign certs and shut it till next time. The only thing nasty about it is that the BYOD flow would use the admin cert at the beginning even though your BYOD portal cert is public CA signed.

 

Thanks,
Octavian

0 Helpful

ajc
Level 7
Level 7

‎02-21-2018 07:56 AM

SAN stands for Subject Alternative Name. Basically you can have all the FQDN names of your ISE nodes added to the same cert including portals for guest and CWA. See example next. It is mandatory to create the CSR from ISE. Before I used to configure the CSR using OpenSSL but not allowed anymore by ISE.

 

Another important thing if you do not want to hit a bug I faced. The Admin and Portal MUST run on the same cert. However on your case looks like you would be using EAP as well on same cert (however I would prefer a separate one so you can use wildcard cert). You can go with any Public CA BUT Entrust for example does not allow you to use IP's in the SAN fields.

 

cetise.png

 

One important detail 3495 VM or Appliance running multiple personas DOES NOT work properly. In addition to that the number of sessions you can handle are also reduced. Take this into account even though your deployment is an small one.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents