Certificate creation for distributed ISE setup

aoster · ‎05-06-2015

Hi all,

I am planning to add an additional node to an existing standalone ISE. I am however unsure

about the creation of the certificates. At the moment I am using a Thawte SAN windcard certificate

on the primary host. The current host is located in a domain "europe.domain.com" whereas the

new ISE needs to be placed in a different DNS domain named "america.domain.com".

primary node: ise1.europe.domain.com

secondary node. ise2.america.domain.com

Is it possible to use a single wildcard certificate for both systems ?

What will happen if one of the ISE systems failes/is unreachable, can the different portals and the

authentications be handled by the remaining ISE, if the systems are located in different DNS domains ?

How do the DNS entries for the portals (for example the sponsors or guest portals) have to look like ?

Thank you for your kind help.

best regards

Andreas

Venkatesh Attuluri · ‎05-26-2015

When the primary Administration ISE node is down, Sponsor administrators cannot create new guest user accounts. During this time, the guest and sponsor portals will provide read-only access to already created guest and sponsor users, respectively. Also, a sponsor administrator who has never logged into the sponsor portal before the primary Administration ISE node went offline, will not be able to log into the sponsor portal until a secondary Administration ISE node becomes primary or the primary Administration ISE node becomes available.