Re: ISE v 2.4 eap cert expired

richardpekarsky · ‎01-22-2020

Somehow I did not receive an email notification about my eap certificate was expiring and now I have an expired EAP/admin certificate. What I need to know is what will be the production impact when I install the new certificate? I am going to do this during a maintenance window, but will the clients just continue to work?

Arne Bier · ‎01-22-2020

Looks like that cert had expired some time ago. How is this impacting existing EAP authentications?

BTW, there is a flag in ISE to allow expired certs ... I have a feeling that you're operating in that mode ? ;-)

When you replace an EAP cert on a PSN node, then nothing bad happens. It can be done during business hours and takes effect immediately - no downtime.

When you replace an Admin cert on a node, then the application services will restart. This means you get kicked out of the Admin GUI and all processing of RADIUS/web/TACACS+ will stop until services are restored. Since the RADIUS processing stops for 5-10 minutes, the NAS won't get a reply, and should use the other RADIUS servers in its list (Secondary/Tertiary RADIUS servers ... I would assume you have that?) - this means some clients might suffer a slight timeout, but on retry, they will be processed by the secondary ISE PSN.

Since you are using a combo cert, you will suffer the outage incurred by the admin cert renewal. I would tend to separate these two certs to allow the admin to be updated independently. But given that most public CA's will only grant 3 year certs, you'll be forced to go through this pain at least every three years. But then again, at least an expired Admin cert is not as bad as an expired EAP cert (expired Admin cert causes browser warnings).

richardpekarsky · ‎01-23-2020

Arne!

You are my hero right now. So, aside from the admin issue, the replacement of the EAP certificate will not create an authentication issue with the clients? That is my concern, that once I put the new on in, that somehow the clients will need to do something to recognize the new cert and therefore not auth.

patoberli · ‎01-23-2020

If you have more than one ISE with the radius function enabled and all the nodes correctly configured on the radius clients, then no outage should happen.
EAP cert is a whole other story, one that I can't precisely answer.

Arne Bier · ‎01-23-2020

Hello @richardpekarsky

You are correct - there are potential issues that can arise with EAP clients (supplicants) once you have changed the RADIUS server's EAP certificate. The problem is that the supplicants may need to trust/validate the ISE cert during EAP negotiation. And here is the rub

If the supplicant is hard coded to only trust the RADIUS server if (and only if) the RADIUS server cert was signed by CA xyz, then the clients will fail to connect if the new cert is not from CA xyz

This may not be a problem for you if the new ISE EAP cert is from the same CA as the existing one because the supplicant OS will already have the CA cert chain that's required. If you switch CA's/PKI then you need to check whether the supplicants have the necessary CA cert chain installed. With Windows systems you can push this out via GPO.

If you are using BYOD or MDM solutions, then check the wireless profile that is pushed to the endpoints to see how that supplicant is configured (i.e. does it perform checking of the RADIUS server cert - and if so, does the endpoint have the CA cert chain)