You are here
SEC0183 - ISE 1.3 Certificate and Node Registration (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video demonstrates wildcard certificate generation on the new Cisco ISE 1.3 web interface and builds a two-node distributed deployment. We will go through CSR generation on ISE, have it signed by Windows 2008 CA, and use it to register a secondary node to a primary. The concept of Certificate Usage and Group Tag will be introduced as well ass an ability to centrally manage node certificates.
Part 1 of this video focuses on wildcard certificate generation
Topic:
- Introduction to the new Ceritificate Configuration Menu
- Trusted CA Certificate Import
- CSR Generation for Wildcard Certificate
- Certificate Signing on Windows 2008 CA
- Certificate Binding
- Certificate Usage and Group Tag
- Certificate/Key Export/Import
- Distributed Deployment and Secondary Node Registration
- Central Certificate Management
Relevant Videos:
9 comments
Issues with GoDaddy Cert
I created a CSR and got the certificate from GoDaddy.
however none of my clients are trusting GoDaddy Cert, unless I install in every Client the intermediate CA from GoDaddy, I spoke with GoDaddy and hey said if I import the intermediate CA into the server ( ISE ) it should work, which I did, but it did not solve the problem. Cisco TAC states this is not their issue if the machines don't trust the cert, which makes sense.
I have about 2K windows 7 machine with this problem and don't want to go about manually install the intermediate CA in all of them.
how do I fix this issue ?
Issues with GoDaddy Cert
First of all, Godaddy suggestion was incorrect. Adding intermediate cert to ISE does not make client trust the ISE cert. Second of all, it would be very strange if Windows 7 does not already have Godaddy Root Cert (not intermediate cert as they come out with new one all the time) in their trusted Root cert store unless Godaddy just decide to come up with a new Root CA without telling anybody. Our suggestion would be to see if you can locate Godaddy root cert that signed the intermediate cert on your Windows client. If you can, just configure the client to trust that Root cert.
Worst case, you can use GPO to push Root cert or intermediate cert to all Windows clients.
ISE 1.4 with 2 node redundant deployment
Hello, I have a 2 node redundant deployment of two ISE 1.4 appliances, and I want to use EAP-TLS authentication for endpoint windows users. Also some users will be utilizing ISE1 as primary authentication and some others ISE2 as primary authentication, utilizing IOS based redundant radius deployment. The root CA is verisign, which doesn't let me generate e CSR with wildcard certificate.
1. Is it OK if I just generate two certificates for each ISE, import the root CA certificate and configure both ISE in redundant mode?
2. Using two different certificates, and not a wildcard one, on both ISE, will it cause any authentication problem for endpoints?
3. Are the SAN fields, DNS names, needed in this kind of deployment?
Thank you and kind regards
ISE 1.4 with 2 node redundant deployment
1. Yes you can. Here is the relevant video
http://www.labminutes.com/sec0031_ise_1_1_node_registration_ca-signed_ce...
2. No. However, since two nodes now each have a unique cert, certain device like ios may be prompted to accept the cert again when switching authentication between nodes (eg. during failover). If you use MDM to provision .1x profile to ios devices, both cert will need to be included as trusted cert.
3. No, unless you want to use the same cert for other web portal like MyDevices, Sponsor etc., in which case those respective URL need to be entered as SAN DNS.
Thank you so much for your
Thank you so much for your prompt and professional feedback. It really helped me.
Keep the good work going on.
Kind regards
sponsor portal
Hello Labminutes team,
I am trying to access the sponsor portal on my 2-node ISE 1.4 deployment, using the URL "https://psn-ip:8443/sponsorportal, but it replies with an error [404] resource not found. When I use a fqdn on sponsor portal settings, I can reach the portal but with a certificate error. When I first requested a certificate with CSR, I didn't input any SAN record on that. How can I solve this issue, so that sponsor portal is accessible again without certificate error, using my current root signed certificate (with no SAN in it)? And if that is not possible, Is it possible to access the portal with "https://psn-ip:8443/sponsorportal"?
Thank you so much for your feedback and support
Kind Regards,
Mommo
sponsor portal
If you use public CA, you can usually go back to them to have SAN added to the same cert possibly with additional fee. If this is internal CA, you can ask your CA admin. Worst case you will need to generate new CSR. If you have more than two nodes, you might want to consider using wildcard cert.
Just want to say ...
Commenting here just to say appreciation and Thanks :) Very informative.
Thank you
Thank you for your feedback