cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5866
Views
4
Helpful
10
Replies

ISE and certificates

Hi all,

Im trying to get my head around using 3d party certificates with the ISE and I think I need some guidance here.

I have a setup of 6 ISE nodes, 2xAdmin, 2xMonitoring and 2xPolicy.

All of these have the domain-name of abc.local.

I want to use MS-CHAPv2 and guest service without certifcate error.

So do I need to enroll all of my six nodes with a 3d party CA? Or just 2xPolicy nodes?

I know the best solution would be all six but just to know if it is possible.

How do I get around the problem with .local? I do not think it is possible to get a certificate with .local as a domain in FQDN.

Is SAN certificate usefull here? How would the look (still .local in CN..?)

Other things to consider in this?

regards

Mikael

1 Accepted Solution

Accepted Solutions

That is correct you need to issue the csr based on the host name currently configured for ise which is the fqdn.

Your issue is that public certificate authorities will not issue you a cert because you are using a .local and not a public domain like .com, .edu or .org to name a few.

The only way to resolve your issue is to use a private Microsoft certificate authority, which is simple to configure. Or change your ise domain ame and use your company's public domain name.

Thanks,

Sent from Cisco Technical Support iPad App

View solution in original post

10 Replies 10

Eduardo Aliaga
Level 4
Level 4

You can only ask a 3rd party CA a certificate for a valid and public domain that you own. Since "abc.local" isn't a valid public domain then the 3rd party CA can't generate the certificate.

If you want a ".local" domain you can just create your certificates yourself by using Microsoft Certificate Authority for example, and then make all your domain PCs "trust" this domain by using Group Policies.

Hope it helps

How about FQDN and the ISE, what I understand I do need to use hostname.abc.local  in the CSR?

Based on ip domain-name and hostname from the ISE

And if I want a 3d party signing of this I need to change ip domain-name?

Am I missing somethinge here?

The documentation say:

Same from the UG 1.1.1:

If you intend to use the certificate generated from this CSR for HTTPS communication (Management Interface), ensure that the CN value in the Certificate Subject is the FQDN of the node. Otherwise, you will not be able to select Management Interface when binding the generated certificate.

From TS 2.1 How-To 04:

Note: If you did not create the certificate signing request (CSR) with the same host name as the Cisco ISE server (or did not use the same domain name), then you will receive an error message. Delete the old CSR or simply change the host name and start again.

That is correct you need to issue the csr based on the host name currently configured for ise which is the fqdn.

Your issue is that public certificate authorities will not issue you a cert because you are using a .local and not a public domain like .com, .edu or .org to name a few.

The only way to resolve your issue is to use a private Microsoft certificate authority, which is simple to configure. Or change your ise domain ame and use your company's public domain name.

Thanks,

Sent from Cisco Technical Support iPad App

And how about ip domain-name on ISE and joining a AD domain, do they have to match?

There are no suprise problem to change the domain name on ISE?

Sent from Cisco Technical Support iPhone App

Mikael,

That is a real good question, for all deployments I havent seen a condition where the ISE domain name is different then the Active Directory domain name that i joins to. I know that ISE creates a computer object in AD once its joined to AD and when joining AD it needs to be able to perform a forward and reverse lookup for its entry in DNS. My assumption is that it needs to be in the same domain space as AD but I can't confirm that for a fact. Let me do some research and I will let you know.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik

I did a quick test yesterday with my Vmware ISE lab, I changed the domain name and joined the AD domain.

It did join. but what are the consequences... I did not look at any log or debug output

I am doing third party certificates aswell, the built in CSR generation tool doesn't work as it has a problem with adding CN attributes ( for me it says no organization name has been included in CN subject when i try to enroll it to a third party signing tool).

I am trying to use the certs for PEAP authentication, I think you can't use the same cert for authentication and management at the same time.

Question to ask though: On godaddy enrollment it is asking me what platform is this for: Apache and all the other things, since this is for PEAP is there any particular platform that i need to use for the cert?

Thank you.

It is ok to use Apache you just need the correct OID enabled which is for server authentication. You can use the same cert for authentication and http web server, however the eap authentication server requirements are not as stringent on the hostname as the http management.

Also what are you using for the format when creating the CSR are you just using the CN-isefqdn, or did you follow the example here: http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1077292

Step 4 Enter  the certificate subject and the required key length. The certificate  subject is a distinguished name (DN) identifying the entity that is  associated with the certificate. The DN must include a common name  value. Elements of the distinguished name are:

C = Country

S = Test State or Province

L = Test Locality (City)

O = Organization Name

OU = Organizational Unit Name

CN = Common Name

E = E-mail Address

Tarik Admani
*Please rate helpful posts*

now this is all over the place lol.

yes i did that and i even talked to TAC they said they recommend using openssl to genrate the csr and i did.

Anyway thanks for your help..

I'll have TAC deal with this I guess.

seems like a double post but i'm just gonna add it here incase someone ever looks for it as it has adequate tags

Alright, I've been able to create my own CA in win2008 and ubuntu server aswell ( I was so desperate about this cert thing on windows 7 where it popped up that terminate/connect error that i had to create all that)

Anyway the scenario is using third party cert.

**The domain name doesn't have to match ISE domain name for PEAP Authentication** (so i used my guest webpage ssl cert)

Now windows 7 computers that are a part of a domain/workgorup using native wireless client would still get that error no matter what, even if you add the root cert as a trusted authority in cert list and all that, even third party ones.

Seems like a windows7 bug and here is the workaround:

http://support.microsoft.com/kb/2518158 

I just did that for root ca and intermediate ca from third party ca (goddady in my case) - I did test it with windows server ca and also with ubuntu server ca (yes i did test alot )

Hope it helps someone as it was driving me crazy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: