In this session, we'll be completing the certificate enrollment to obtain a trusted

ID cert for use with ISE. And then as we finish this section, we'll be making some
changes to how RADIUS logging behaves. Our ISE application server got restarted
from the last section. We got logged out. We're back at the login screen for ISE.
We're still seeing the trust warning at this point. But if we issue the login and
start to interact with ISE, we should see that change.
And sure enough, now, we've got no particular warnings from the ID cert that ISE is
currently sending us. I should point out that, as part of this lab setup, the
trusted CA cert for the lab has been added to the Firefox browser. And so any
received ID certs that have been signed by that or now also trusted.
If we look at the contents of this cert, we can see with that we've got a secure
connection. And if we look at more details, we can view the contents of that ID
cert. We can see the subject information corresponds to what I supplied in the
certificate signing request. And we can also see the Subject Alternative Names, or
SANs, that were added to that cert. Signer and down below here we should be able to
see validation period as well.
OK. Back on ISE, let's fine-tune what we want this certificate to be used for. Go
into Administration, Certificates. We see under System Certificates-- we see still
in place is the default self-sign server certificate and the one that was just
added from our route CA. And of course, it's got an oddball name in there, which we
can straighten out here.
OK. For use with a certificate, we'll add a friendly name. And we can see the SANs
listed here as well. It's already in use for admin. We're seeing the evidence of
that by the trust that we're obtaining from the Firefox browser. We also want to
use this trusted ID certificate for EAP authentication. And it lets us know that
only a single certificate can be supplied for EAP overall within our system
deployment. And so this will remove EAP support from the self-signed certificate
and place it on this new trusted ID certificate.
And we'll also set it up for portal usage. In this case, not specific to any
portal, we'll add a portal group tag that we can apply. When we go to configure a
portal, we configure or select this portal group tag. And it will apply this
trusted ID cert. And then we'll save that. We get a service response that we were
successful. We can see our renamed certificate and what it's currently being used
for. And almost all functions have been removed from the original self-signed
certificate.
OK. For purposes of the lab, we're going to make some modifications to RADIUS
settings. We'll step through this process here now. Go to the Administration,
System, and Settings. You can see a variety of settings. And we'll be poking in
this area for future sessions. In this case, we're wanting to select Protocols and
RADIUS.
In particular, what we're wanting for our lab purposes is to prevent the
suppression of failed client login attempts. We want to see those and not have
those suppressed. And then likewise, we want to not suppress successful
authentications. These are left on by default to prevent over-utilization of disk
space on the nodes that are running the monitoring or MNT personas. And this will--
the suppression reduces the size of the logging that's needed and just dampens the
level of detail. So it might be helpful to uncheck these options as we're doing for
the lab support in an early install or early deployment of ISE, to make sure you're
clearly understanding all the potential effects. And then once things are working
to your needs initially, then we can check these boxes back on and save that disk
space.
It lets us know that we've modified those changes. It may take a moment to take
effect. We see the confirmation message down the bottom. And I also wanted to point
out that, if you're not sure what options were checked or unchecked, you can always
issue or click this Reset to Default button to restore those original Cisco default
settings.
OK. In this session, we finished out the establishment of a trusted ID cert for use
with ISE. In particular, we're already seeing the positive impacts for that for
administration browsing, administrative browsing in ISE. And ultimately, this will
provide positive impacts for any PC or endpoint device that's receiving an ID cert
that we've got the opportunity to create trust around that by simply trusting that
CA importing and trusting that CA into an endpoint. We're perhaps considering
distribution with something like a Microsoft domain policy, which is a nice fit for
that Microsoft-based certificate authority that we're using.