Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1718
Views
0
Helpful
4
Replies

What happens if the certificate expire on a ISE PSN

r.westman
Level 1
Level 1

‎12-19-2014 12:02 AM - edited ‎03-10-2019 10:17 PM

What happens if a PSN certificate expire? Does all other nodes in the cluster looses the communication channel to that PSN node? 

 

What is the procedure to install a new certificate on a PSN node with the expired certificate?

 

Does the PSN node still handle client RADIUS requests that does not depend on the PSN cerfificate?

 

Tanks!

  

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎12-19-2014 07:55 AM

You definitely want to renew the certs before they expire. Otherwise the effects can be very devastating to your ISE environment depending on what the certificates are used for :) Below are a couple of links that you can use to obtain more info on both of your questions:

ISE version 1.2:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html

ISE Version 1.3:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_01000.html#concept_D7826198A3304303AD046DB981DA4FE6

 

Thank you for rating helpful posts!

0 Helpful

r.westman
Level 1
Level 1
In response to nspasov

‎12-19-2014 09:55 AM

Thanks for your comments and links.

 

But I cant find any information about what really happens if it does expire and how to recover the PSN node to a steady state again. I can only read that don't let it happen and it's a very very bad thing if it does happen.

 

For example: 

- Are PEAP clients still able to authenticate to the PSN node (if clients are configured to not validate the ISE certificate)?

- How do I recover a PSN node with a expired certificate?

 

Thanks

 

 

0 Helpful

Saurav Lodh
Level 7
Level 7
In response to r.westman

‎12-19-2014 11:10 AM

No , they wouldn't. As the Clients won't trust the certs from ISE node. EAP communication will not be a success , result to authentication fails. You need to repeat the procedure , the same way you  generated the cert( self signed / CA ) , then copy of the same in the primary node's cert store among trust list.

0 Helpful

r.westman
Level 1
Level 1
In response to Saurav Lodh

‎12-19-2014 11:32 AM

Ok, so even if PEAP clients are configured to not "validate server certificate"  PEAP communication will still fail?

 

"...then copy of the same in the primary node's cert store among trust list."

I don't really understand what you mean here. Should'nt a new PSN node CA certificate be installed on the PSN node itself in some way? Then the communication to the rest of the nodes in the cluster would be restored thanks to the new valid certificate? Maybe you are thinking about self-genereted certificate. We have an CA infrastucture inplace. 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents