Part one can be found here
The next section will focus on the following:
- Create private keys and certificate signing request (CSR) to secure the HTTPS portal.
- Join the ISE nodes to the cluster.
- Join the ISE deployment to Active Directory.
Obtain and Import the internal root and intermediate certs into ISE trusted certificate store
Generate the private keys certificate signing request (CSR)
iseadmmnt Private key:
lab@:~/PKI/iseadmmnt.netprojekralac.com$ rm iseadmmnt.private-key
lab@:~/PKI/iseadmmnt.netprojekralac.com$ openssl genrsa -aes256 -out iseadmmnt.private-key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Certificate signing request
openssl req -new -newkey rsa:2048 -nodes -keyout iseadmmnt.private-key -out iseadmmnt.csr -subj “/C=US/ST=State/L=New York/O=NETPROJEKRALAC/OU=WLAN/CN=iseadmmnt.netprojekralac.com” -addext “subjectAltName=DNS:iseadmmnt.netprojekralac.com,IP:10.0.0.36”
View the contents of the CSR
openssl req -in iseadmmnt.csr -noout -text
Submit the CSR to the Internal PKI
- Save the file
Import the certificate to ISE
Verify that the HTTPS cert are valid
Configure an ISE Deployment
Admin & Monitoring node
Add the DMZ PSN to the admin node.
Join the Admin/MNT node to Active Directory
Once devices are added to Active Directory, you can query LDAP to retrieve user attributes (like group membership, department, or title). These attributes are then used in authorization policies to control access based on user identity and role. This enables centralized, dynamic, and role-based access control.
Note: If the correct firewall ports are not opened the following errors/failures will occur.
Why did the ISE node fail to join AD?
The DMZ networks cannot communicate with the internal network from a security context unless a firewall rule exists. The image below shows that ISE (10.0.66.36) is trying to communicate with the domain controller (10.0.206.21) on UDP port 389. The firewall will deny the network traffic unless a rule is in place.
This meets one of the basic segmentation requirements.
The ISE node continues to fail while trying to join the Active Directory domain.
CoA failure – firewall rules must be in place
To successfully join the Active Directory domain additional ports must be opened.
- From the DMZ VLAN 666 to the Internal VLAN 206 (Active Directory)
- From the DMZ VLAN 666 (10.0.66.36) ISE to the Internal WLC (10.0.0.18)
ISE port matrix: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_7.html
| Port | Description |
| UDP – 389 | The Lightweight Directory Access Protocol (LDAP) uses this TCP and UDP port for directory updates and basic LDAP queries. LDAP is the foundation of Active Directory and is used for user authentication and directory lookups |
| TCP/UDP – 88 | This TCP/UDP port provides users with access to the Kerberos authentication protocol. This protocol allows users to access privileged network resources using tickets from the server |
| TCP/UDP – 135 | This port is used for Remote Procedure Call (RPC), a Windows service that many services, including Active Directory, rely on. |
| TCP – 445 | This port is used for file sharing and authentication. It’s also used to share network device resources using SMB, which is a key component of Microsoft Active Directory |
| TCP – 3268 | In Active Directory, TCP port 3268 is used for the “Global Catalog” which allows for searches across the entire domain forest, meaning you can query for objects from any domain within the forest by accessing this port on a domain controller that is configured as a Global Catalog server; essentially, it’s a specific LDAP port for broader searches than the standard LDAP port (389) |
| UDP – 1700 | RADIUS Change of Authorization (CoA) Send: UDP/1700 RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 |
| Bring Your Own Device (BYOD) / Network Service Protocol (NSP) Redirection Provisioning SCEP | Provisioning – URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning. For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices. Provisioning – Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal and Client Provisioning Provisioning – Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443 Provisioning – Wizard Install from Google Play (Android): TCP/443 Provisioning – Supplicant Provisioning Process: TCP/8905 SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration) |
| Profiling | NetFlow: UDP/9996 Note This port is configurable. DHCP: UDP/67 Note This port is configurable. DHCP SPAN Probe: UDP/68 HTTP: TCP/80, 8080 DNS: UDP/53 (lookup) Note This port is route table dependent. SNMP Query: UDP/161 Note This port is route table dependent. SNMP TRAP: UDP/162 Note This port is configurable. |
| OCSP and CRL Service Ports OCSP 2 | For the OCSP, the default ports that can be used are TCP 80/ TCP 443, TCP/2560. Cisco ISE Admin portal expects http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports. For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and 389 respectively. The actual port is contingent on the CRL server. |
| SCEP | TCP/9090 |
| Session | RADIUS Authentication: UDP/1812 RADIUS Accounting: UDP/1813 RADIUS DTLS Authentication/Accounting: UDP/2083. RADIUS Change of Authorization (CoA) Send: UDP/1700 RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 Note UDP port 3799 is not configurable. |
| Web Portal Services: Guest/Web Authentication Guest Sponsor Portal My Devices Portal Client Provisioning Certificate Provisioning BlackListing Portal | HTTPS (Interface must be enabled for service in Cisco ISE): Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.) Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.) Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.) My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.) Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.) SMTP guest notifications from guest and sponsor portals: TCP/25 |
| Replication and Synchronization | Data Synchronization/ Replication (JGroups): TCP/12001 (Global) ISE Messaging Service: SSL: TCP/8671 |