Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
1
Helpful
3
Replies

Replacing ISE certificates and what to expect for 802.1x auth clients

Go to solution
MauryJ
Level 1
Level 1

‎01-18-2024 11:04 AM

Hello All,

We implemented ISE almost a year ago, and our two ISE servers have certs from a 3rd party (Godaddy) that are expiring soon.   Under Administration/System/System Certificates, under Used By for the certificates it shows:

Admin, EAP Authentication, RADIUS, DTLS, pxGrid, Portal, ISE Messaging Service

We're using ISE for switch port authentication and have 802.1x configured in the Windows clients' network settings.  When we replace these certificates, will our clients get any kind of warning or prompt that we need to be aware of?

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-18-2024 11:12 AM

@MauryJ as the admin certificate is being replaced this will force the ISE services to restart (10-15 mins approx) on each node. You should make sure you do this in a change window, ideally out of hours to minimise disruption. In regard to the client devices as long as they trust the root certificate that signed the EAP certificate they should not notice anything. If you are using a different public CA to sign this certificate you may need to check the client devices.

You should ensure the NADs (switches) are configured to use both ISE PSN nodes, so whilst one node services are restarting any new authentications would go to the other ISE PSN node.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-18-2024 11:12 AM

@MauryJ as the admin certificate is being replaced this will force the ISE services to restart (10-15 mins approx) on each node. You should make sure you do this in a change window, ideally out of hours to minimise disruption. In regard to the client devices as long as they trust the root certificate that signed the EAP certificate they should not notice anything. If you are using a different public CA to sign this certificate you may need to check the client devices.

You should ensure the NADs (switches) are configured to use both ISE PSN nodes, so whilst one node services are restarting any new authentications would go to the other ISE PSN node.

Go to solution
MauryJ
Level 1
Level 1
In response to Rob Ingram

‎01-18-2024 11:15 AM

Good to know, Thank You very much Rob!

0 Helpful

Go to solution
soofigadgets
Level 1
Level 1

‎01-18-2024 11:34 AM

@MauryJ wrote:

Hello All,

We implemented ISE almost a year ago, and our two ISE servers have certs from a 3rd party (Godaddy) that are expiring soon.   Under Administration/System/System Certificates, under Used By for the certificates it shows:

Admin, EAP Authentication, RADIUS, DTLS, pxGrid, Portal, ISE Messaging Service

We're using ISE for switch port authentication and have 802.1x configured in the Windows clients' network settings.  When we replace these certificates, will our clients get any kind of warning or prompt that we need to be aware of?

Thanks

 

When you replace the certificates on your ISE (Identity Services Engine) servers, the Windows clients using 802.1x for switch port authentication may experience certificate-related issues. Here are some considerations:

  1. Certificate Renewal:

    • If you are renewing the certificates with the same CA (Certificate Authority) and there's a smooth transition, clients may not experience any disruptions. Renewal involves obtaining a new certificate while keeping the same identity.

  2. Certificate Replacement with Different CA:

    • If you're replacing the certificates with those from a different CA, Windows clients might encounter a certificate validation issue. This could result in warnings or prompts, especially if the new CA is not already trusted on the client machines.

  3. Client Behavior:

    • In most cases, Windows clients are configured to validate the server's certificate during the 802.1x authentication process. If the new certificate is not trusted or doesn't match the expected server identity, clients may receive warnings or prompts.

  4. Certificate Chain:

    • Ensure that the new certificates include the full certificate chain up to the root CA. If any intermediate or root certificates are missing, it can lead to validation issues.

  5. Advance Notification:

    • Consider informing your users or IT support team in advance about the certificate replacement to minimize potential disruptions. This includes communicating the timeframe and potential warnings users might encounter.

  6. Monitoring Certificate Expiry:

    • In the future, monitor the certificate expiration dates regularly to avoid last-minute replacements and to ensure a smooth transition.

  7. Testing:

    • Before the actual certificate replacement, consider setting up a test environment to simulate the changes. This allows you to identify and address any potential issues before implementing the changes in the production environment.

  8. Logging and Troubleshooting:

    • Enable logging on the ISE servers to monitor any authentication failures or certificate-related issues. This information can be crucial for troubleshooting in case users report problems.

Remember that the exact user experience may vary based on the Windows version, network configuration, and how certificate validation is implemented in your specific environment. Always follow best practices for certificate management to ensure a secure and seamless transition.

0 Helpful
Customers Also Viewed These Support Documents