Provision both ISE nodes with the CA root certificate and their own individual server certificates
(generated by certificate signing requests).
- First, download the Root CA Certificate from your Certificate Authority
- Click “Download a CA certificate, certificate chain, or CRL”
- Encoding method should be „DER“
- Click “Download CA Certificate”
Save it to a location on your file system.
- On ISE go to Administration > System > Certificates > Certificate Store. Click “Import”
- Click Browse and locate the root CA Certificate.
- Tick “Trust for Client Authentication”. If you don’t you may see failures with “12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain” when using EAP-TLS
- Click “Submit”.
The CA Certificate will appear alongside the original self-signed certificate generated by ISE.
If you have 2 or 3 ISE nodes then you must repeat these steps for Root CA.
ISE Local Server Certificates
- On each node go to Administration > System > Certificates > Local Certificates
- Click Add > Generate Certificate Signing Request
- Fill in the CN with the ISE nodes FQDN and any other relevant fields. Click “Submit”
- Go to Administration > System > Certificates > Certificate Signing Requests.
- Tick the request and click export.
- Save the request onto your computer and open it in notepad.
- On your Microsoft CA Server (//<ca>/certsrv/ ) go to Request Certificate > Advanced certificate request >
- Paste the contents of the CSR into the request field and select “Web Server” as the template.
- Click Submit
- Download the DER encoded certificate. Click “Download Certificate”
- On ISE go to go to Administration > System > Certificates > Local Certificates
- Click “Add” > “Bind CA Certificate”
- Select the certificate from your computer. Tick “EAP” and “Management Interface” and click “Submit”
- ISE will need to reload to complete the certificate installation.
- Perform this task on all nodes in the deployment before joining them together.