I just tried to use a wildcard certificate, and received the error message that the "Management certificate must contain host FQDN in CN component of Subject field." This is a HUGE issue. Currently, I can use wildcard certs on the WLCs without an issue. And, I can import a separate one for web logins from the one used for management. ISE really needs to have the ability to import a separate, non-"Management" certificate just used for "Guest" logins. Not sure if that is part of the blueprint for ISE 1.2, but it needs to be.
This last week at CiscoLive, I heard that there may be a workaround using Subject Alternate Names in the certificate. Now, this is not something that can be done using the CSR from ISE. I'm waiting for some documentation on the process, but I aat least have a little bit of hope.
If you got an update related to Subject Alternate Names could you post the information? I'm also interested in this functionality to fix the issue so that we can give the appliance multiple certificates with other domain names.
I don't believe there's an easy way around this currently. The URL for the PSN is created dynamically and is always the real hostname of the PSN node. If you have the luxury of multiple appliances (or VMWare partitions) available, then you can have a couple of your PSN's dedicated for guest (and maybe sponsor) access. These can then be on separate (more covert) nostnames and even on separate domain so that guest users don't see your internal domain. For split domains you will need at least 1.1.1 patch 4 (unless you can use a DNS bodge which we have tested).
For the record: i have the documentation and the SAN field isn't resolving the issue for multple domain names. Altought you can specify other hostnames, it is still in the same domain suffix.
Like Bikespace mention: the solution for the problem can be resolved in this way.
Setup a Deployment for two ISE nodes. Take up a VM and built this for DMZ purpose. You can install a PSN with an other DNS suffix. As long as these domain names are resolvable in the DNS deployment it will work. I've build this and it works with 1.1.2 patch 2. I thought this would be a problem for the AD agent on the PSN with an other DNS suffix than the real Domain Controller in the Active Directory domain, but this isn't; it will work.
Extra tip: you can't register a 'real' certificate on a fake DNS name. So .local and .lan should be denied by your CA. So this solution above is the only solution for now. Also the problem lies in ISE. You can't install another certificate that is different than the hostname+suffix of the PSN node. I prefer that Cisco solve this issue like the behavior in Cisco ASA.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :