Contents hide
1 CISCO PSN-2 Identity Services Engine
2 Product Information
3 Product Usage Instructions
4 Frequently Asked Questions
5 Documents / Resources
5.1 References

CISCO-logo

CISCO PSN-2 Identity Services Engine

CISCO-PSN-2-Identity-Services-Engine-product

 

Product Information

Specifications:

  • Product Name: Cisco ISE Cluster Distributed Deployment
  • Author: Redouane MEDDANE
  • Certificate Type: PKI Infrastructure
  • Object Type: Certificate Authority

Product Usage Instructions

Self-Signed Certificate Installation:
In a distributed deployment, each node installs a self-signed certificate signed by the system. This certificate serves as a Certificate Authority and is unique in that it’s self-signed, ensuring its own authenticity.

Services Using Self-Signed Certificates:

  • Admin Access
  • EAP Authentication
  • RADIUS DTLS
  • Portals

Certificate Management:
Primary PAN centrally manages the certificates for the cluster. It can create, delete, and renew the nodes’ certificates.

Certificate Hierarchy:
The internal PKI hierarchy includes Root CA certificates and subordinate certificates for different nodes.

Demystifying PKI Infrastructure and Certificate Management With Cisco ISE Cluster Distributed Deployment

In distributed deployment, each node installs a self-signed certificate signed by the system and has the Object Type : Certificate Authority. This certificate is unique in that it’s self-signed, essentially ensuring for its own authenticity. It doesn’t require validation from an external or superior entity because it already sits at the top of the trust hierarchy. This self-signed certificate is used by the following services admin, EAP authentication, RADIUS DTLS and portals.
Below the list of the self-signed certificate used by each node. Each certificate has the Common Name equal to the FQDN of the node.

PAN-MNT-P. CISCO-PSN-2-Identity-Services-Engine- (1)

CISCO-PSN-2-Identity-Services-Engine- (2)

CISCO-PSN-2-Identity-Services-Engine- (2)

PAN-MNT-S. 

CISCO-PSN-2-Identity-Services-Engine- (4)

CISCO-PSN-2-Identity-Services-Engine- (5)

CISCO-PSN-2-Identity-Services-Engine- (5)

PSN-1.  CISCO-PSN-2-Identity-Services-Engine- (7)

CISCO-PSN-2-Identity-Services-Engine- (8)

CISCO-PSN-2-Identity-Services-Engine- (8)

PSN-2. 

CISCO-PSN-2-Identity-Services-Engine- (10)

CISCO-PSN-2-Identity-Services-Engine- (11)

CISCO-PSN-2-Identity-Services-Engine- (12)

When you install Cisco ISE cluster, an internal PKI hierarchy is built. The certificate management are centralized on the Primary PAN where you can create, delete and renew the nodes certificates. First the primary PAN has the Root CA certificate representing the top of trust hierarchy as shown below.

CISCO-PSN-2-Identity-Services-Engine- (12)

CISCO-PSN-2-Identity-Services-Engine- (14)

The PAN has also a subordinate certificate called Certificate Services Nodes CA – pan-mnt-p signed by its Root CA certificate as shown below.

CISCO-PSN-2-Identity-Services-Engine- (15)

CISCO-PSN-2-Identity-Services-Engine- (16)

In additon the Primary PAN generates a subordinate certificate called Certificate Services Endpoint Sub CA – pan-mnt-p and it is signed by the Node Certificate of the primary PAN called “Certificate Services Nodes CA – pan-mnt-p”.

CISCO-PSN-2-Identity-Services-Engine- (17)

CISCO-PSN-2-Identity-Services-Engine- (18)

CISCO-PSN-2-Identity-Services-Engine- (19)

When you register the secondary PAN two subordinate certificates are generated.

CISCO-PSN-2-Identity-Services-Engine- (20)

Certificate Services Nodes CA – pan-mnt-s signed by the primary PAN Root CA. CISCO-PSN-2-Identity-Services-Engine- (21)

CISCO-PSN-2-Identity-Services-Engine- (28)

Certificate Services Endpoint Sub CA – pan-mnt-s signed by the subordinate certificate Services Nodes CA – pan-mnt-s.

CISCO-PSN-2-Identity-Services-Engine- (23)

CISCO-PSN-2-Identity-Services-Engine- (24)

In addition, a server or entity certificate is generated for the secondary PAN with the Common Name equal to the FQDN pan-mnt-s.collab.com, this server certificate is signed by the subordinate certificate Services Endpoint Sub CA – pan-mnt-s.collab.com. CISCO-PSN-2-Identity-Services-Engine- (25)

CISCO-PSN-2-Identity-Services-Engine- (26)

When you register the Policy Service Node PSN, each PSN node is provisioned a subordinate certificate called Certificate Services Endpoint Sub CA and it is signed by the Node Certificate of the primary PAN called “Certificate Services Nodes CA – pan-mnt-p”. In this example, the PSN-1 is provisioned with a subordinate certificate called “Certificate Services Endpoint Sub CA – PSN-1”.

CISCO-PSN-2-Identity-Services-Engine- (27)

CISCO-PSN-2-Identity-Services-Engine- (28)

The PSN-2 is provisioned with a subordinate certificate called “Certificate Services Endpoint Sub CA – PSN-2”.

CISCO-PSN-2-Identity-Services-Engine- (29)

CISCO-PSN-2-Identity-Services-Engine- (30)

By default, each node uses the self-signed certificate for the following services: admin access, EAP authentication, RADIUS DTLS and portals.

CISCO-PSN-2-Identity-Services-Engine- (31)

CISCO-PSN-2-Identity-Services-Engine- (32)

CISCO-PSN-2-Identity-Services-Engine- (33)

CISCO-PSN-2-Identity-Services-Engine- (34)

We can instruct each node to use another system certificate such as the one used for pxGrid which is signed by the Certificate Services Endpoint Sub CA of each node.

Primary PAN pan-mnt-p.

CISCO-PSN-2-Identity-Services-Engine- (33)

CISCO-PSN-2-Identity-Services-Engine- (36)

Secondary PAN pan-mnt-s. 

CISCO-PSN-2-Identity-Services-Engine- (37)

CISCO-PSN-2-Identity-Services-Engine- (38)

Policy Service Node PSN-1. 

CISCO-PSN-2-Identity-Services-Engine- (39)

CISCO-PSN-2-Identity-Services-Engine- (40)

Policy Service Node PSN-2. 

CISCO-PSN-2-Identity-Services-Engine- (41)

CISCO-PSN-2-Identity-Services-Engine- (42)

The primary PAN is now using the system certificate for admin access and signed by its own subordinate CA certificate called Certificate Services Endpoint Sub CA – pan-mnt-p.

CISCO-PSN-2-Identity-Services-Engine- (42)

The secondary PAN is now using the system certificate for admin access and signed by its own subordinate CA certificate called Certificate Services Endpoint Sub CA – pan-mnt-s.

CISCO-PSN-2-Identity-Services-Engine- (44)

The Policy Service Node PSN-1 is now using the system certificate for admin access/portals and signed by its own subordinate CA certificate called Certificate Services Endpoint Sub CA – psn-1.

CISCO-PSN-2-Identity-Services-Engine- (45)

The Policy Service Node PSN-2 is now using the system certificate for admin access/portals and signed by its own subordinate CA certificate called Certificate Services Endpoint Sub CA – psn-2. CISCO-PSN-2-Identity-Services-Engine- (46)

Frequently Asked Questions

Q: Can I use a different system certificate for services?
A: Yes, you can instruct each node to use another system certificate, such as the one used for pxGrid, signed by the Certificate Services Endpoint Sub CA of each node.

Documents / Resources

CISCO PSN-2 Identity Services Engine [pdf] User Guide
PSN-2, PSN-2 Identity Services Engine, Identity Services Engine, Services Engine

References

Leave a comment

Your email address will not be published. Required fields are marked *