Solved: Supplicant Based Extended Node onboarding certificate issue

kimhi · ‎08-27-2024

Hello!

I have used this guide to configure our SBEN https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-5/user_guide/b_cisco_dna_center_ug_2_3_5/b_cisco_dna_center_ug_2_3_5_chapter_01110.html#Cisco_Concept.dita_5214333f-f583-4fd1-a3db-093ca3f....

The issue we're facing is that DNAC is pushing the wrong root certificate for ISE, so the switch, in our case a C9200CX, rejects the ISE certificate during dot1x authentication and ends up in an unreachable state due to our default deny setup. I've managed to put the correct certificate onto the switch manually before authorizing it and it all works perfectly when I do, but that defeats the point of automatic onboarding.

Is it a requirement for the root certificates of DNAC and ISE to be the same for this to work or is DNAC supposed to push down the trustpoool bundle where the correct root certificate is?

I have also tried to put the certificate on the switch using a day0 template, but had no luck due to the limitations of day0 templates.

andy!doesnt!like!uucp · ‎08-27-2024

check for this Trustpoint <custom-dnac-ca-name>:
Issuing CA certificate configured:
Subject Name:
cn=My company Root CA,ou=My company Services,o=My company Group
u need to configure it on DNAC in similar manner so that your ISE EAP certificate has the same TL issuer "My company Root CA"

View solution in original post

andy!doesnt!like!uucp · ‎08-27-2024

check for this Trustpoint <custom-dnac-ca-name>:
Issuing CA certificate configured:
Subject Name:
cn=My company Root CA,ou=My company Services,o=My company Group
u need to configure it on DNAC in similar manner so that your ISE EAP certificate has the same TL issuer "My company Root CA"

kimhi · ‎08-29-2024

That's what we feared. Thank you! I tested in lab and it works well. Now we just have to wait for an appropriate time to change certificate.