Sometimes i also had to deregister the node from the cluster and register it back after domain-name changed. Also issues with internal CA, the biggest weird issues was that i had to disable, generate new certs for internal ca and re-enable it back (impact on all my byod users).
There were weird issues like AD sync/join not working as expected and needed to unlink and link it back sometimes. Issues i had, were mostly after changing domain name. Customers like simplicity and most of them generate 1 cert with multiple SAN and then import the same one on all node. Then you can import them node by node, i start myself from PSN and finish with PAN. However for the admin, it'll only be on the default interface and you have no choice to change the domain name. The main concern I have is that the ISE cube (cluster) will someone get messed up because of the changing of domains and the importing of certs.įor the EAP, you could have the possibility to create a new interface and an alias then your public cert will work. I am pretty sure that changing the System cert for Admin will cause the application services to restart. Let's say we have all the domain stuff out of the way, which node do we start with? If we start with the PSN's, will it isolate the PSN from the PAN when installing the new Admin cert? Is there an order in which this should be done?.I suspect we'd have to re-configure all the "ip domain-name" commands in each node prior to even trying to import a public CA cert? The node host name domains will need to match the new Admin cert (at least in the SAN field, right?) - if customer has some internal domain like net.local, then there will be no Public CA that can issue a cert that has this in the SAN field.public CA cert) to all the nodes used for Admin and possibly also EAP. This cert was installed on all secondary nodes prior to the nodes being registered to the PAN.Ĭustomer now wishes to apply a different cert (e.g. The customer is running ISE 2.4 in a 6 node deployment on SNS appliances.Ĭurrently the Admin cert is a self-signed wildcard cert. Click OK to exit the LAN connection properties.I don't have the time to test this myself, but has anyone got real world advice when replacing the Admin cert of a multi-node deployment?.I am using User or computer authentication so that both are authenticated (computer on boot to login screen, computer and user when user logs in). Set the drop down to the appropriate setting.Connect to these servers is optional (just like above).Leave Verify the server’s identity by validating the certificate enabled.Use a certificate on this computer is the default setting.
Under each EAP method drop down, click the Configure button.Under Client Authentication, I’m setting both the primary and secondary EAP method for authentication to Microsoft: Smart Card or other certificate.*.Place a checkmark next to the root CA server(s) under Trusted Root Certification Authorities that are used to sign the certificate for EAP authentication on the ISE PSN.The Connect to these servers field is optional but can be used to ensure endpoints only authenticate to specific RADIUS (ISE PSN) nodes.Leave Enable identity privacy enabled with anonymous as the identity.Click the Settings button next to the drop down.Set the Choose a network authentication drop down to Microsoft EAP-TEAP.Go to the Authentication tab under the properties of the LAN connection ( Control Panel > Network and Sharing Center > Change adapter settings > right-click LAN connection > Properties). I’ll be configuring the wired authentication settings for this example.
That completes the configuration on the ISE node. Authorization policy rules for EAP chaining