How to Configure Certificates on Distributed ISE Servers

Introduction

Cisco Identity Services Engine (ISE) uses certificates to authenticate other ISE nodes in a distributed environment. It can also use certificates to authenticate clients as well.  ISE is able to utilize certificates with a wildcard in the Subject Alternate Name.  This document provides a step-by-step guide to implementing a single wildcard certificate in a distributed ISE environment.

For more information on certificates related to ISE, refer to Cisco’s documentation here.

 

Scope

The scope of this document is limited to the implementation of a wildcard certificates on multiple ISE Servers to be used for ISE authentication as well as client authentication. It outlines the steps required to request a wildcard certificate from an internal Trusted Root CA.  It then describes how to copy that certificate to multiple ISE servers.  It assumes that the internal Trusted Root CA is pre-configured and all clients already trust this Root CA.  It does not cover any additional ISE certificate-related features such as OSCP, SCEP, or certificate templates.

 

Environment

This implementation of ISE will consist of 8 servers. There will be 2 Admin Nodes, 2 Monitoring Nodes, and 4 Policy Service Nodes.  A wildcard certificate will be installed on an initial server, then exported to the remaining servers.  A new subdomain was created to limit the scope of the wildcard certificate.  For instance, *.ise.wifiworkshop.com was used instead of *.wifiworkshop.com.  All servers use ise.wifiworkshop.com as their domain name.  Also, all hostnames were configured with lower case to eliminate potential issues with certificate-driven verification functions.

 

Instructions

Setting up the Primary Role

Log into the initial server

Navigate to Administration > System > Deployment

Click on servername

Click the Make Primary button and Save

 

Create a Certificate Signing Request

Navigate to Administration > System > Certificates > Certificate Signing Request

Click Generate Certificate Signing Requests (CSR)

Select the certificate for Multi-Use

Enable the “Allow Wildcard Certificates” option

Fill out the Subject fields with the appropriate information

Be sure to use the $FQDN$ for the Common Name (CN)

Use DNS Name for the Subject Alternative Name and enter your wildcard information.

(Simply replace the hostname of your server’s FQDN with an asterisk such as *.ise.wifiworkshop.com)

Then click Generate

Click OK

Submit the CSR to the Certificate Authority

This assumes you have an internal Windows based Trusted Root Certificate Authority

Navigate to Adminstration > System > Certificate > Certificate Signing Requests

Highlight the CSR and Click View

Click the CSR Contents tab and copy all the text in the window

Open a web browser and navigate to your CA (For instance: http://servername/certsrv)

Click Request a Certificate

Click Submit a certificate request using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the CSR Contents you copied earlier into the request field.

Set the Certificate Template to Web Server

Click Submit

 

 

Download the Certificate

Open a web browser and navigate to your CA (For instance: http://servername/certsrv)

Click View the status of a pending certificate request

Click the Saved-Request Certificate

Download the certificate

Download the certificate chain

 

Import the Trusted Certificate

Navigate to Administration > System > Certificates > Trusted Certificates

Click Import

Click Choose File and select the certnew.p7b file you downloaded earlier

Enter a Friendly Name

Select Trust for authentication within ISE

Select Trust for client authentication and Syslog

Click Submit

 

Bind the Certificate to the CSR

Navigate to Administration > System > Certificates > Trusted Certificates

Click Choose File and select the certnew.cer you downloaded earlier

Enter a Friendly Name

Select Admin and EAP Authentication

Click Submit

After you bind the Certificate, ISE will reboot.

 

Export the Certificate

Navigate to Administration > System > Certificates > System Certificates

Highlight the certificate and click Export

Export Certificate and Private Key

Create a password

Click Export

Save the File

 

Extract the files from exported certificate zip file

 

Import the Same Certificate on the Remaining ISE Nodes

Navigate to Administration > System > Certificates > Trusted Certificates

Click Import

Click Choose File and select the Certificate Chain that was downloaded with the original CSR

(certnew.p7b)

Enter a Friendly Name of your choice

Enable Trust for authentication within ISE

Enable Trust for client authentication and Syslog

Click Submit

 

Navigate to Administration > System > Certificates > Trusted Certificates

Click Import

Click Choose File and select the extracted file from the previous exportvi

(Select the .pem file for the Certificate File)

Click Choose File and select the extracted file from the previous export

(Select the .pvk file for the Private Key File)

Enter the password used when exporting the certificate

Enter a Friendly Name of your choice

Enable “Allow Wildcard Certificates”

Enable Admin

Enable EAP Authentication

Reboot ISE

Repeat for all remaining server nodes

 

Register Nodes to Form a Deployment Group

Navigate to Administration > System > Deployment

Click Register > Register an ISE Node

Enter the FQDN, Username, and Password

Click Next, then Submit

Repeat for all remaining server nodes

Assign Persona Roles as appropriate.

 

Thanks!