Introduction

Certificates are crucial with Identity Services Engine (ISE) as they enable secure communication and authentication across the network. Certificates establish trust between devices, users, and ISE by ensuring that connections are encrypted and identities are verified. This is essential for scenarios such as 802.1X authentication, where certificates help authenticate devices and users before granting network access. Additionally, certificates support secure interactions between ISE and other network components, such as switches and wireless access points, ensuring that all data exchanged is protected from unauthorized access and tampering. Some of the reasons ISE uses certificates include: wired and wireless 802.1x authentication (EAP-TLS, TEAP, etc)0, pxGrid authentication, ISE node trust within a cluster, portals, etc.

Adding Certificates to ISE

Access your Active Directory Certificate Services Web Enrollment page (https://AD-IP-address/certsrv) to download your Active Directory Root CA certificate. We must add this certificate to ISE’s Trusted Certificates Store before adding any other certificates from Active Directory Certificate Services.

From the Active Directory Certificate Services Web Enrollment page, click on the Download a CA certificate, certificate chain, or CRL link.

Select the Base 64 radio button and click the Download CA certificate link.

In ISE, navigate to Administration>System>Certificate>Certificate Management>Trusted Certificates and click Import.

Upload the CA certificate that you just downloaded. I like to give it a friendly name that makes sense and a description that explains what the certificate is – adding this kind of detail is always good for the other ISE administrators who might take over managing the ISE deployment later on. The options include the following:

  • Trust for authentication within ISE – This will allow you to add new ISE nodes if they have an Admin certificate issued from the same CA.
  • Trust for client authentication and SyslogYou would check this box if your endpoints authenticating to the network are using certificates issued from the same CA and/or trust a Secure Syslog server.
  • Trust for certificate based admin authentication – Check this check box to enable usage for certificate-based authentications for admin access.
  • Trust for authentication of Cisco Services – You only need to check if you want this certificate to be trusted for external Cisco services such as a feed service.

Click Submit.

Now that we’ve added the CA certificate to the Trusted Certificate Store, we can issue a Certificate Signing Request (CSR) and use it to create a certificate we can bind to ISE.

Navigate to Administration>System>Certificates>Certificate Management>Certificate Signing Requests and click on the Generate Certificate Signing Requests (CSR) button.

We can choose what this certificate will be used for. We can choose Multi-Use from the dropdown.

Check the box next to your ISE node.

Fill out the subject information based on what makes sense to you or your organization.

In the Subject Alternative Name (SAN) fields, put the DNS name and IP address of the ISE node on which this certificate will be installed.

Click on Generate and then click Export when the pop-up comes up.

This will download the CSR request you just created.

Open the CSR you downloaded in Notepad and reopen your Microsoft Active Directory Certificate Services Web Enrollment page.

Click on the Request a certificate link.

On the next page, click on the advanced certificate request link.

At this point, you will be on the Certificate Request page, where you will use your CSR to generate a certificate.

Copy and paste the body of the CSR from your Notepad into the Base-64-encoded certificate request field.

From the Certificate Template drop-down, choose the Web Server template.

Click Submit.

Select the Base 64 encoded option.

Click the Download certificate link.

This will download the certificate signed by the CA that was generated from the CSR.

Back in ISE, navigate to Administration>System>Certificates>Certificate Management>Certificate Signing Request.

Check the box next to the CSR you previously created.

Click on the Bind Certificate link.

Choose the certificate you just downloaded and give it a friendly name.

You can check the boxes below to select what the certificate will be used for by ISE.

Note: You can choose the Portal as well, but this is for Guest/Sponsor/Hotspot/etc portals, so I would recommend using a publicly-signed certificate for that. The reason is that if you have a user or guest coming into your network and your ISE portal is using a privately signed certificate for the Guest Portal, they will get certificate errors or potentially have their browser block them from accessing it. To avoid all that, use a publicly-signed certificate for Portal use to ensure a better user experience.

Click Submit.

Adding a pxGrid Certificate

In ISE, navigate to Administration>System>Certificates>Certificate Management>Certificate Signing Requests and create another CSR.

This time, specify that it will be used for pxGrid under the Certificate(s) that will be used for the field.

After it is generated, export and download it.

Open the CSR in Notepad.

Open the Active Directory Certificate Service Web Enrollment page in your browser.

Request a certificate and go to advanced certificate request again.

Copy the CSR into the Base-64-encoded certificate request field

Select the ISE-Pxgrid certificate template that you would have created in this post.

Click Submit.

Select the Base 64 encoded option.

Click the Download certificate link.

This will download the certificate signed by the CA that was generated from the CSR.

In ISE, navigate to Administration>System>Certificates>Certificate Management>Certificate Signing Requests page and bind this newly downloaded certificate to ISE.

Click Submit when done.

Congratulations! You have now installed a EAP and a pxGrid certificate to your ISE deployment.