안녕하세요.
오늘은 cisco ise certificate warming message에 대해서 알아보겠습니다.
인증서는 외부에서 이미 인증 받은 인증서가 있습니다.
대부분에 사이트는 HTTPS 입니다. 윈도우 설치하면 기본적으로 많은 인증서가 설치되어져 있어서 google.com등 외부 https사이트에 접속해도 인증서 경고창이 나타나지 않습니다.
현재 저희는 테스트를 위해서 아래 처럼 cisco ise 2대를 설치 했습니다.
ISE01 - 192.168.10.191
ISE02 - 192.168.10.192
https://192.168.10.192 접속하면 아래처럼 인증서 경고 메시지가 발생 합니다.
PC에서 인증서를 확인해보면
인증서 경고창 무시하고 접속 가능 합니다.
이 경고창을 제거해 보겠습니다.
1. 윈도우 CA서버에 접속 합니다.
http://192.168.10.193/certsrv
Download a CA certificate, Certificate chain or CRL 클릭 합니다.
2. Base 64를 선택하고 Download CA certificate를 클릭 합니다.
아래처럼 Certnew가 다운로드 받았습니다.
이름을 아래처럼 수정 합니다. CA-Root
Cisco ISE01 - 192.168.10.192에 Certificate를 설정해 보겠습니다.
3. Administration -> System -> Certificates 클릭 합니다.
4. Trusted Certificates -> Import 버튼을 클릭 합니다.
5. Choose File 버튼을 클릭 합니다.
6. 아래처럼 설정하고 Submit 버튼을 클릭 합니다.
Trust for authentication within ISE - This will all you to add new ISE nodes as long as they have the same trsuted CA certiicate loaded to their Trusted Certificate Store.
Turst for client authentication and syslog: you would check this box if you want to use this certificate to authenticte endpoints that connect to ISE using EAP and/or turst a secure syslog server
Trust for authentication of Cisco Services: you only need to check this if you want this certificate to be trusted for external cisco services such as a feed service
7. Windows CA서버가 등록 되었습니다.
8. Request Signing Certificate - 아래 사진처럼 Generate Certificate Sining request (CSR) 버튼을 클릭 합니다.
9. 아래처럼 정보를 입력 합니다.
Certificate은 여러 인증을 사용 할 예정이기때문에 Multi-Use로 설정하고. ise02 체크합니다.
아래처럼 입력하고 Generate버튼을 클릭 합니다.
Windows Server DNS에서 설정값이 맞는지 확인 합니다.
10. Warning메시지는 나타납니다. Yes눌러서 에러 메시지가 발생하면서 인증서 발급이 실패 합니다.
cisco ise domain 확인합니다.
domain 주소가 local으로되어져 있습니다.
test.local이어야 하는데 잘 못 입력 되었습니다.
CLI접속 합니다.
| ise01/admin#configure t Entering configuration mode terminal ise01/admin(config)#end ise01/admin#show run interface GigabitEthernet 0 ip address 192.168.10.191 255.255.255.0 ipv6 enable ipv6 address autoconfig ! ntp server time.nist.gov hostname ise01 icmp echo on ip domain-name local |
아래처럼 수정 합니다.
| ise01/admin# ise01/admin#configure t Entering configuration mode terminal ise01/admin(config)#i Possible completions: icmp Configure icmp echo requests identity-store Configure identity store for CLI users interface Configure interface ip Configure IP features ipv6 Configure IPv6 features ise01/admin(config)#ip domain-name test.local % Warning: Updating the domain name will cause any certificate using the old % domain name to become invalid. Therefore, a new self-signed % certificate using the new domain name will be generated now for % use with HTTPs/EAP. If CA-signed certs were used on this node, % please import them with the correct domain name. If Internal-CA % signed certs are being used, please regenerate ISE Root CA certificate. % In addition, if this ISE node will be joining a new Active Directory % domain, please leave your current Active Directory domain before % proceeding. % Changing the IP domain-name will cause ise services to restart Proceed? [yes,no] yes |
서비스가 재시작 됩니다.
시간이 꽤 오래 걸립니다. 약 15분 정도를 기다립니다.
아래 Application Server가 running 될때까지 기다립니다.
| ise02/admin#show application status ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 838346 Database Server running 89 PROCESSES Application Server initializing Profiler Database running 848506 ISE Indexing Engine running 859072 AD Connector running 860543 M&T Session Database running 854482 M&T Log Processor running 858109 Certificate Authority Service running 860385 EST Service running 868581 SXP Engine Service disabled TC-NAC Service disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE Messaging Service running 845235 ISE API Gateway Database Service running 847493 ISE API Gateway Service running 853220 ISE pxGrid Direct Service running 886548 Segmentation Policy Service disabled REST Auth Service disabled SSE Connector disabled Hermes (pxGrid Cloud Agent) disabled McTrust (Meraki Sync Service) disabled ISE Node Exporter running 861123 ISE Prometheus Service running 862365 ISE Grafana Service running 864153 ISE MNT LogAnalytics Elasticsearch disabled ISE Logstash Service disabled ISE Kibana Service disabled % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 100 GB ise02/admin#show application status ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 838346 Database Server running 93 PROCESSES Application Server running 857882 Profiler Database running 848506 ISE Indexing Engine running 859072 AD Connector running 860543 M&T Session Database running 854482 M&T Log Processor running 858109 Certificate Authority Service running 860385 EST Service running 868581 SXP Engine Service disabled TC-NAC Service disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE Messaging Service running 845235 ISE API Gateway Database Service running 847493 ISE API Gateway Service running 853220 ISE pxGrid Direct Service running 886548 Segmentation Policy Service disabled REST Auth Service disabled SSE Connector disabled Hermes (pxGrid Cloud Agent) disabled McTrust (Meraki Sync Service) disabled ISE Node Exporter running 861123 ISE Prometheus Service running 862365 ISE Grafana Service running 864153 ISE MNT LogAnalytics Elasticsearch disabled ISE Logstash Service disabled ISE Kibana Service disabled % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 100 GB ise02/admin# |
https://192.168.10.192 접속해서 인증서 CN를 확인 합니다.
정삭적으로 변경 되었습니다.
ISE01도 똑같이 수정 합니다.
11. 다시 시도 합니다. Yes버튼을 클릭 합니다.
12. Export를 클릭 합니다.
아래처럼 이름을 수정 합니다.
13. 윈도우서버에 다시 접속 합니다.
Request a certificate를 클릭 합니다.
14. Advabce Certificate request를 클릭 합니다.
15. 파일을 오픈해서 Private Key를 복사 붙여넣기 하고 Submit 버튼을 클릭 합니다.
16. Base64 encoded 선택하고 Download Certificate를 선택 합니다.
아래처럼 이름을 수정 합니다.
17. 다시 cisco ISE02에 접속 합니다.
아래처럼 설정하고 submit 버튼을 클릭 합니다.
CLI 접속해서 show application status ise 입력합니다
Application Server가 running으로 변경 될때까지 기다립니다.
| ise02/admin#show application status ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 838346 Database Server running 87 PROCESSES Application Server not running Profiler Database running 848506 ISE Indexing Engine running 859072 AD Connector running 860543 M&T Session Database running 854482 M&T Log Processor running 858109 Certificate Authority Service running 860385 EST Service running 868581 SXP Engine Service disabled TC-NAC Service disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE Messaging Service running 845235 ISE API Gateway Database Service running 847493 ISE API Gateway Service running 853220 ISE pxGrid Direct Service running 886548 Segmentation Policy Service disabled REST Auth Service disabled SSE Connector disabled Hermes (pxGrid Cloud Agent) disabled McTrust (Meraki Sync Service) disabled ISE Node Exporter running 861123 ISE Prometheus Service running 862365 ISE Grafana Service running 864153 ISE MNT LogAnalytics Elasticsearch disabled ISE Logstash Service disabled ISE Kibana Service disabled % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 100 GB ise02/admin# ise02/admin#show application status ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 838346 Database Server running 93 PROCESSES Application Server running 972882 Profiler Database running 848506 ISE Indexing Engine running 978221 AD Connector running 860543 M&T Session Database running 854482 M&T Log Processor running 858109 Certificate Authority Service running 860385 EST Service running 868581 SXP Engine Service disabled TC-NAC Service disabled PassiveID WMI Service disabled PassiveID Syslog Service disabled PassiveID API Service disabled PassiveID Agent Service disabled PassiveID Endpoint Service disabled PassiveID SPAN Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled ISE Messaging Service running 845235 ISE API Gateway Database Service running 847493 ISE API Gateway Service running 1028398 ISE pxGrid Direct Service running 1007569 Segmentation Policy Service disabled REST Auth Service disabled SSE Connector disabled Hermes (pxGrid Cloud Agent) disabled McTrust (Meraki Sync Service) disabled ISE Node Exporter running 861123 ISE Prometheus Service running 862365 ISE Grafana Service running 864153 ISE MNT LogAnalytics Elasticsearch disabled ISE Logstash Service disabled ISE Kibana Service disabled % WARNING: ISE DISK SIZE NOT LARGE ENOUGH FOR PRODUCTION USE % RECOMMENDED DISK SIZE: 200 GB, CURRENT DISK SIZE: 100 GB ise02/admin# |
정상적으로 Multi-use Certificate를 발급 하였습니다.
제 PC에서도 certificate설치해서 더이상 warning message가 발생하지 않도록 합니다.
CA-Root를 더블클릭 합니다.
테스트 하기 위해서 192.168.10.192접속 합니다.
더 이상 warning message가 없습니다.
인증서를 확인 합니다.
지금까지 [2025][CISCO ISE#21] - Certificate Issue 글을 읽어주셔서 감사합니다.
'CISCO > CISCO ISE' 카테고리의 다른 글
| [2025][CISCO ISE#23] - Identity Source Sequence (0) | 2025.01.07 |
|---|---|
| [2025][CISCO ISE#22] - Integration with active directory (0) | 2025.01.06 |
| [2025][CISCO ISE#20] - Certificate (0) | 2025.01.06 |
| [2025][CISCO ISE#19] - License Register (0) | 2025.01.06 |
| [2025][CISCO ISE#18] - License (0) | 2025.01.06 |