Cisco ISE

Started by mmcgurty, December 11, 2015, 09:39:57 AM

Previous topic - Next topic

mmcgurty

I have to complain about this.  I spent two hours on the phone yesterday with Cisco TAC to replace a certificate (it was expiring on 12/12/2015) for our BYOD portal on Cisco ISE v1.3.0.876.  This is after I poked around for about an hour or two on my own wondering why it wouldn't work.  Cisco TAC ended up deleting all of our old certificates off each server for the wildcard certificate I was trying to replace and deleting all the Thawte certificates off the Trusted Certificates area.  We restarted our admin node and one of our PSN's and then imported the new wildcard certificate and then the intermediate Thawte, then root Thawte certificate to get this working.  Apparently this is a mix of known bugs and having duplicate certificates with the same subject.  This is supposed to be fixed in v2.0.

deanwebb

This was for the web server, right? I'm hoping that he didn't clear your 802.1X cert.

I'm using a server-specific cert for each web portal instead of a wildcard cert. Costs a bit more, but I prefer the stability of non-wildcard certs.

But to have to blow it away completely, along with the root/intermediate? Ouch, that is no bueno.

:yuno:
Y U NO LIEK MY SERTS?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mmcgurty

Yeah, just for the web server for BYOD.

deanwebb

Honestly, though, it shouldn't have involved pulling the whole chain. That's not how normal web server certs work.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

mmcgurty

Oh, I couldn't agree more but it seems that Cisco ISE is full of inconsistencies and major bugs from one version to another.  I was told that this particular issue was likely a bug that hasn't been fixed until version 2.0.

deanwebb

That was one reason why I went with ForeScout CounterACT as a NAC solution over Cisco. There's NAC stuff that will *always* be hellacious, regardless of vendor, but CounterACT seemed to be nailed down better, relative to ISE.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.