12-19-2014 12:02 AM - edited 03-10-2019 10:17 PM
What happens if a PSN certificate expire? Does all other nodes in the cluster looses the communication channel to that PSN node?
What is the procedure to install a new certificate on a PSN node with the expired certificate?
Does the PSN node still handle client RADIUS requests that does not depend on the PSN cerfificate?
Tanks!
12-19-2014 07:55 AM
You definitely want to renew the certs before they expire. Otherwise the effects can be very devastating to your ISE environment depending on what the certificates are used for :) Below are a couple of links that you can use to obtain more info on both of your questions:
ISE version 1.2:
ISE Version 1.3:
Thank you for rating helpful posts!
12-19-2014 09:55 AM
Thanks for your comments and links.
But I cant find any information about what really happens if it does expire and how to recover the PSN node to a steady state again. I can only read that don't let it happen and it's a very very bad thing if it does happen.
For example:
- Are PEAP clients still able to authenticate to the PSN node (if clients are configured to not validate the ISE certificate)?
- How do I recover a PSN node with a expired certificate?
Thanks
12-19-2014 11:10 AM
No , they wouldn't. As the Clients won't trust the certs from ISE node. EAP communication will not be a success , result to authentication fails. You need to repeat the procedure , the same way you generated the cert( self signed / CA ) , then copy of the same in the primary node's cert store among trust list.
12-19-2014 11:32 AM
Ok, so even if PEAP clients are configured to not "validate server certificate" PEAP communication will still fail?
"...then copy of the same in the primary node's cert store among trust list."
I don't really understand what you mean here. Should'nt a new PSN node CA certificate be installed on the PSN node itself in some way? Then the communication to the rest of the nodes in the cluster would be restored thanks to the new valid certificate? Maybe you are thinking about self-genereted certificate. We have an CA infrastucture inplace.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide