Cisco ISE 3.4 Two Node Deployment with External CA Certificate

Introduction

This article describes the best practices and proactive procedures to register the two-node ISE cluster with the Root CA.

Component used

Cisco ISE 3.4 and Windows Server 2016

Prerequisite of ISE node deployment:

• Each node should have a designated persona
• Time sync should be between all nodes preferring using the same NTP server
• DNS record should be on all ISE nodes so that all ISE server FQDN are resolvable
• All ISE nodes should be running on the same version and same patch.

Background Information

Before proceeding with the registration and two-node deployment, we must install the Root CA on the Windows Server and set up the forward and reverse lookup zones for the FQDNs ise-01.hydent.com and ise-02.hydent.com (optional). You can use any version—2012, 2016, or 2019—as the steps will be the same. In my case, I have Windows Server 2016, and my domain name is 'hydent.com.' Below, you can find some snapshots of the DNS

DNS Forward Zones and Reverse Lookup Zones Entry

1. Forward Zones Entry

2. Reverse Lookup Zones Entry

3. Verifying NSLookup

To download the Root CA, import, and register the ISE nodes with the external certificate, follow the steps below:

Download the Root CA certificate

1. Open any browser and type 10.10.10.10/certsrv (your CA server IP followed by /certsrv) in the address bar and then click Download a CA certificate, Certification chain, or CRL

2. Click on Base 64 and then click Download CA Certificate

Primary ISE Node " ise-01.hydent.com"

1 .Go to ISE-01 (10.10.10.11 or ise-01.hydent.com), which is my first ISE Node, and click on 'Administration,' then click on 'Deployment

2. Under Deployment, click on ISE-01 and edit the general settings of the node.

3. Click "Make Primary" and save it

4. Go to the certificate and click Trusted Certificate and then click import

5. Import the certificate file that we downloaded from the Root CA server and check the boxes below and click submit

6. In the screenshot below, we can see that the Root CA has been successfully imported with the expiration date 2034.

7. Go to the Certificate Signing Request to generate the CSR

8. Fill in the parameters below and allow the wildcard certificate for multi-use so that you can use a single certificate for multiple services, then click 'Generate

9. After clicking 'Generate,' the window below will appear. Just click 'Export,' and a CSR will be downloaded.

10. Now navigate to the Server CA on the browser and click on request a certificate for signing the CSR

11. Click on advance certificate request

12. Open the CSR you exported, copy the content inside, paste it into the 'Save Request' field, and click 'Submit.' This will download the signed certificate.

13. Click on the CSR and then Click Bind Certificate

14. Browse for the signed certificate, provide a friendly name, and check the boxes according to the required services, then click 'Submit.' After that, your services will restart and will be updated with the new signed certificate.

15. Here, you can see that the ISE-01 node has come up with the new certificate.

Secondary ISE Node " ise-02.hydent.com"

1. Go to the secondary node, click on 'Administration,' then click on 'Trusted Certificates,' and upload the Root certificate.

Navigate to ISE-01, click on 'Administration,' then click on 'Deployment,' and click on 'Register

2. Enter the FQDN of ISE-02, along with the user ID and password for ISE-02 and then click next .

3. After clicking Next we will get this Pop-up and then just click Import certificate and Proceed.

3. Here, we can see that the role of ise-02.hydent.com is secondary.

4. Select the parameters below, and then click 'Submit

5. Here, we can see that the secondary node is in the process of syncing. This may take a few minutes to complete the synchronization.

6. Registration and Synchronization has been completed

7. ISE-02