Cisco Identity Services Engine

Introduction

This document describes best practices and proactive procedures to renew certificates on the Cisco Identity Services Engine (ISE). It also reviews how to set up alarms and notifications so administrators are warned of upcoming events such as certificate expiration.

This document is not intended to be a troubleshooting guide for certificates.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• X509 certificates
• Configuration of a Cisco ISE with certificates

Components Used

The information in this document is based on these software and hardware versions:

• Cisco ISE Release 1.2.0.899
• Appliance or VMware

Background Information

As an ISE administrator, you will eventually encounter the fact that ISE certificates expire. If your ISE server has an expired certificate, serious problems might arise unless you replace the expired certificate with a new, valid certificate.

Note: If the certificate used for the Extensible Authentication Protocol (EAP) expires, all authentications might fail because clients do not trust the ISE certificate anymore. If the HTTPS protocol certificate expires, the risk is even greater: an administrator might not be able to log in to the ISE anymore, and the distributed deployment might cease to function and replicate.

In this example, the ISE has an installed certificate from a certificate authority (CA) server that will expire in one month. The ISE administrator should install a new, valid certificate on the ISE before the old certificate expires. This proactive approach will prevent or minimize downtime and avoid an impact on your end users. Once the time period of the newly installed certificate begins, you can enable the EAP and/or HTTPS protocol on the new certificate.

You can configure the ISE so that it generates alarms and notifies the administrator to install new certificates before the old certificates expire.

Note: This document uses HTTPS with a self-signed certificate in order to demonstrate the impact of certificate renewal, but this approach is not recommended for a live system. It is better to use a CA certificate for both the EAP and HTTPS protocols.

Configure

View ISE Self-Signed Certificates

When the ISE is installed, it generates a self-signed certificate. The self-signed certificate is used for administration access and for communication within the distributed deployment (HTTPS) as well as for user authentication (EAP). In a live system, use a CA certificate, rather than a self-signed certificate.

See the Certificate Management in Cisco ISE section of the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2, for additional information.

The format for an ISE certificate must be Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules (DER).

To view the initial self-signed certificate, go to the ISE console, navigate to Administration > System> Certificates > Local Certificates:

If you install a server certificate on the ISE via a Certificate Signing Request (CSR) and change the certificate for the HTTPS or EAP protocol, the self-signed server certificate is still present but is no longer used.

Caution: For HTTPS protocol changes, a restart of ISE services is required, which will create a few minutes of downtime. EAP protocol changes do not trigger a restart of ISE services and, thus, do not cause downtime.

Determine When to Change the Certificate

Assume that the installed certificate will expire soon.

Is it better to let the certificate expire before you renew it or to change the certificate before expiration? You should change the certificate before expiration so you have time to plan the certificate swap and to manage any downtime caused by the swap.

When should you change the certificate? Get a new certificate with a start date that precedes the expiration date of the old certificate. The time period between those two dates is the change window.

Caution: If you enable HTTPS, it will cause a service restart on the ISE server, and you will experience a few minutes of downtime.

This image depicts the information for a certificate issued by a CA that expires on 29 Nov 2013:

Generate Certificate Signing Request

This procedure describes how to renew the certificate through a CSR:

1. In the ISE console, navigate to Add > Generate Certificate Signing Request.
   
   
2. The minimum information to enter in the Certificate Subject text field is CN=ISEfqdn, where ISEfqdn is the fully qualified domain name (FQDN) of the ISE. Add additional fields like O (Organization), OU (Organizational Unit), or C (Country) in the Certificate Subject with the use of commas:
   
   
   
   
3. One of the Subject Alternative Name (SAN) text field lines must repeat the ISE FQDN. You can add a second SAN field if you want to use alternative names or a wildcard certificate.
   
   
4. A popup indicates if the CSR fields are correctly completed:
   
   
   
   
5. In order to export the CSR, click Certificate Signing Requests in the left panel, select your CSR, and click Export:
   
   
   
   
6. The CSR is saved on your computer. Submit it to your CA for signature.

Install Certificate

Once you receive the final certificate from your CA, you must add the certificate to the ISE:

1. In the ISE console, click Local Certificates in the left panel, then click Add and Import Local Server Certificate:
   
   
   
   
2. Enter a simple, clear description of the certificate in the Friendly Name text field:
   
   

   Note: Do not enable the EAP or HTTPS protocol yet.

   
   
   
   
3. Because you are installing the new certificate before the old one expires, you see an error that reports a date range in the future (23 Nov 2013 in this example).
   
   
   
   
4. Click Yes in order to continue. The certificate is now installed but not in use, as highlighted in green. The overlap between the expiration date and valid date is highlighted in yellow:
   
   
   
   

Note: If your ISE server is in a distributed deployment, you must import the secondary server certificates in the trusted store of the primary ISE server. Otherwise, the deployment might break.

Configure Alerting System

The Cisco ISE notifies you when the expiration date of a local certificate is within 90 days. Such advance notification will help you avoid expired certificates, plan the certificate change, and prevent or minimize downtime.

The notification appears in several ways:

• Color expiration status icons appear in the Local Certificates page.
• Expiration messages appear in the Cisco ISE System Diagnostic report.
• Expiration alarms are generated at 90 days and 60 days, then daily in the final 30 days before expiration.

Configure the ISE for email notification of expiration alarms. In the ISE console, click Administration > System > Settings > SMTP Server, identify the Simple Mail Transfer Protocol (SMTP) server, and define the other server settings so email notifications are sent for the alarms:

There are two ways to set up notifications:

• Use Admin Access in order to notify administrators:
  
  
1. Navigate to Administration > System > Admin Access > Administrators > Admin Users.
   
   
2. Check the Include system alarms in emails checkbox for the Admin Users that need to receive alarm notifications. The email address for the sender of the alarm notifications is hardcoded as ise@hostname.
   
   
   
   
• Configure the ISE alarm settings in order to notify users:
  
  
1. Navigate to Administration > System > Settings > Alarm Settings > Alarm Configuration:
   
   
   
   

   Note: Disable the Status for a category if you wish to prevent alarms from that category.

2. Click Alarm Notification, enter the email addresses of users to be notified, and save the configuration change. Changes may take up to 15 minutes to be reflected.
   
   
   

Verify

Use this section in order to confirm that your configuration works properly.

Verify Alerting System

Verify that the alerting system works correctly. In this example, a configuration change generates an alert with a severity level of Information. (An Information alarm is the lowest severity, while certificate expiration generates a higher severity level of Warning.)

This is an example of the email alarm sent by the ISE:

Note: In this example, the ISE sends the email alarm message twice to iseadmin@wlaaan.ch, as highlighted in yellow. This email address was set up to receive notifications by both methods explained in Configure Alerting System.

Verify Certificate Change

This procedure describes how to verify that the certificate is installed correctly and how to change the protocols for EAP and/or HTTPS:

1. On the ISE console, navigate to Administration > Certificates > Local Certificates, and select the new certificate in order to see its details.
   
   

   Caution: If you enable the HTTPS protocol, the ISE service restarts, which will cause server downtime.

   
   
   
   In this example, assume that HTTPS restarts the ISE service.
   
   
2. In order to verify certificate status on the ISE server, go to the CLI, and enter this command:
   
   

   CLI:> show application status ise

3. Once all services are running, try to log in as an administrator.
   
   
4. For a distributed deployment scenario, navigate to Administration > System > Deployment > Node Status on the ISE console, and verify the node status.
   
   
5. Check that the end user authentication is successful. On the ISE console, navigate to Operations > Authentications, and review the certificate for Protected Extensible Authentication Protocol (PEAP)/EAP-Transport Layer Security (TLS) authentication.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Conclusion

Because you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart.