11-08-2018 04:48 PM
When I am configuring a distributed ISE deployment, what certificates do I need on each node? I have a PAN, secondary PAN, and 3 PSNs in my network. I have an admin cert for all of the nodes, and an EAP, DTLS, and portal cert on the Primary admin node. Do I need all of these for every node? The documentation isn't very clear on what is needed for every node. If I have a deployment with 50 PSNs, do I need to make 150 cert requests? That seems pretty crazy.
Solved! Go to Solution.
11-09-2018 03:46 AM
Thus far responders haven't mentioned your portals. If you are using any portals (Guest, BYOD, Self-Registration etc.) the certificate for them must be on and PSNs that will be serving the portal up. That could be one, two or all of your PSNs, depending on your deployment design.
For portals we typically use one certificate with multiple SANs. So like guest.company.com, byod.company.com etc. Many customer prefer to keep those distinct from the actual node server certificates used for administration and inter-node communications (i.e., ise-1.company.com, ise-2.company.com etc.).
The latter can be self-signed but personally that bugs me. If there's not an in-house CA already I try to get the customer to setup the role - it's relatively straightforward to do and within an hour you can setup a Windows Server CA server and start issuing legitimate certificates. Push trust of that via GPO and then all your in house domain PCs will trust them.
11-08-2018 05:28 PM
You can have one certificate per node or a wildcard certificate. One cert can be used for all three role admin,portal,eap
11-08-2018 05:34 PM
So, just an admin certificate for each PSN and secondary PAN will do it all? I don't need an EAP, DTLS, etc cert for each node in the deployment?
11-08-2018 09:19 PM - edited 11-09-2018 01:59 AM
Each node will have a self signed certificate. Each node needs its own certificate. Certificate can have following role:
Admin
Portal
EAP
PXgrid
RADIUS DTLS
Portal role is needed for guest, byod ....
EAP is needed for dot1x
Admin is used while accessing GUI of ISE and when ISE are in deployement.
Admin certificate should be unique if you are not having wildcard certificate. EAP can be shared.
05-05-2023 09:02 AM
this reply is not helpful
11-09-2018 01:41 AM
05-05-2023 09:03 AM
better than the first answer.
11-09-2018 02:32 AM
Hi,
The certs you need to manage are entirely a matter of the functionality you demand of your deployment. Here are some examples:
1) Secure syslogs remote targets: When you configure to validate certificates (under logging targets), it requires that the trust chain public certs are located in the Trusted Certificates and each node must have an Admin role cert which is issued by this trust chain. If you choose to ignore validation, this isn't a problem. You will need to check mark that you are willing to use the Trusted Certs for authenticating syslogs.
2) EAP-TLS. Again, you need to have an up to date Trusted Certificates store, and you need to enable the trusted certs for EAP client authentication. When a supplicant will challenge your PSN's EAP certificate you will need a full chain of trust for the mutual authentication to pass.
3) SAML and pxgrid also require the certificates to be trusted for the pxgrid subscribers to authenticate one another.
What is important is that for any node which is issued a certificate, due so via CSR and when you get the cert make sure to bind it to that node. You must bind it from the CSR window in order for the private key to be associated with that cert.
It requires a bit of maintenance every now and again, but it isn't overly complicated. Just make sure that you know what kind of authentication requires PKI and the document how to update these certificates for when they are near expiry.
05-05-2023 09:04 AM
this answer is not to the point, sorry
11-09-2018 03:46 AM
Thus far responders haven't mentioned your portals. If you are using any portals (Guest, BYOD, Self-Registration etc.) the certificate for them must be on and PSNs that will be serving the portal up. That could be one, two or all of your PSNs, depending on your deployment design.
For portals we typically use one certificate with multiple SANs. So like guest.company.com, byod.company.com etc. Many customer prefer to keep those distinct from the actual node server certificates used for administration and inter-node communications (i.e., ise-1.company.com, ise-2.company.com etc.).
The latter can be self-signed but personally that bugs me. If there's not an in-house CA already I try to get the customer to setup the role - it's relatively straightforward to do and within an hour you can setup a Windows Server CA server and start issuing legitimate certificates. Push trust of that via GPO and then all your in house domain PCs will trust them.
05-06-2019 01:07 PM
You can clone a certificate (and the private key) and use it on multiple nodes either for a single purpose (e. g. Admin) or multiple purposes (e. g. Admin, EAP, Portal). The only necessary condition is that this certificate contains the FQDNs of all the nodes as Subject Alternative Name (SAN).
05-05-2023 09:01 AM
What is baffling in all these community chats is that they never to the point like stackoverflow. Guys who do not understand the question OR know the answer try to answer.
When you add a Node to a Primary node:
1. Which certificate is used? Is it the admin Certificate, each certificate has a purpose and so it will be nice to know which one is used.
2. If whichever certificate is used, if the issuer of the certificate for both nodes is the same CA and the CA certs are present in the Trusted Certificates then is that good enough for the Nodes to peer up?
Please Do NOT answer if you did not understand the question OR are unsure of what happens inside ISE.
Prakash
05-05-2023 09:08 AM
I am quite sure what happens in ISE based on about 8 years hand-on experience with it and multiple training classes and certifications specific to the product.
Q1. Which certificate is used?
A1. Admin certificate
Q2. If whichever certificate is used, if the issuer of the certificate for both nodes is the same CA and the CA certs are present in the Trusted Certificates then is that good enough for the Nodes to peer up?
A2. Yes it is.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide