Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
1
Helpful
5
Replies

Cisco ISE HA Cert

Go to solution
NagiswarenUtheyakumar5553
Level 1
Level 1

‎12-14-2023 12:40 AM

Hi We have 2 Cisco ISE 3.3 using SNS appliance deployed in HA. We have local windows CA server. we made ISE1 as primary for Admin, MNT and PSN, ISE2 is secondary for Admin & MNT and primary for PSN. 

After Setup HA, we generate CSR (when selecting CSR it gives us option to select both node to apply CSR) for Admin portal, Guest Portal, and Radius. We included both ISE1 and ISE2 hostname and IP address in Subject Alternate Name of CSR. After gotten signed cert from CA, we bind the Cert with CSR. 

Now when we access admin portal of ISE2, no certificate error. But when access ISE1 admin portal or guest portal, certificate error prompts. Both been accessed from windows joined computer which trust the root CA. Any idea why this would happens ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-15-2023 08:10 AM

In the certificate management of your PAN, you find both ISE nodes and both can be configured individually for the different certificates. Make sure that both have the new certificate installed and that both use the correct certificate for "Admin".

For your guest portal you really should get a public certificate. If you use a certificate from your enterprise CA, your guests will always get a cert-warning and we should *never* configure something that shows a cert-warning to "normal" users!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎12-15-2023 07:30 AM

There is no concept of "secondary" PSN.  What do you mean?  ISE2 is listed first on the NADs?  Any spelling issue on your certificate?  What is the exact browser error?  When you browse to ISE1 what certificate do you see?  Do you see the matching hostnames?  Did you bind both CSRs or only one?

Go to solution
MHM Cisco World
VIP
VIP

‎12-15-2023 07:43 AM

You config one per node cert. For admin

You config one portal cert for both PSN ? Are SAN include the FQDN of both PSN ?

MHM

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-15-2023 08:10 AM

In the certificate management of your PAN, you find both ISE nodes and both can be configured individually for the different certificates. Make sure that both have the new certificate installed and that both use the correct certificate for "Admin".

For your guest portal you really should get a public certificate. If you use a certificate from your enterprise CA, your guests will always get a cert-warning and we should *never* configure something that shows a cert-warning to "normal" users!

0 Helpful

Go to solution
NagiswarenUtheyakumar5553
Level 1
Level 1
In response to Karsten Iwen

‎12-17-2023 05:52 PM

Hi We understand using internal cert for Guest Portal. But this Guest Portal only meant for Internal user who needs internet access. Corporate WIFI dont have internet access.

Is it ok to select both node when generating CSR ? or must select individual node when apply CSR ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to NagiswarenUtheyakumar5553

‎12-17-2023 07:30 PM

You can select both ISEs when generating the CSR. You can also generate the CSR on a different system with openssl and use this CSR to request the certificate. This certificate/key is then imported into all ISEs. This is my favorite approach.

0 Helpful
Customers Also Viewed These Support Documents