Quick post: I had a HA pair of ISE boxes in a lab the other day have the certificates that I made with a Windows Certificate Authority expire the other day and I ran into some odd behavior. To be clear, in this scenario, the certificates had a valid chain of trust, but it was past its expiration date.
I logged in after realizing this and had odd behavior, node-A could not read node-Bs certificates. Both nodes said they were no longer on domain, even though the domain disagreed and I logged in with domain credentials that were recently changed. Then when I went to make a Certificate Signing Request (CSR), I was able to make it, but when I went to download it I got a generic message of “Cannot connect to node-a”. At the same time all these issues were going on, under “Node Status” on the dashboard, both nodes were sharing health data.
In the end, ISE gets weird when the cert date has expired. I generated a new self signed cert for node-A. Then deleted the expired certs because the system didnt want me to make a CSR for the same thing it thought it had a cert for already. This allowed me to then properly make a CSR and export it. That gave me “ciscoisenodea.pem”, I brought that over to my setup Windows CA, and with a admin command prompt ran
certreq -submit -attrib "CertificateTemplate:WebServer" ciscoisenodea.pem . Saved that to my local desktop, and went into ISE to Bind it to the CSR. Node-A then rebooted. All of a sudden things like the domain pairing, started showing they were working again. Then the second node, I did the same process, and all of a sudden everything was happy again. Note: make sure you have a your admin backup password, one of the nodes DID refuse to talk to AD and I had to use that, while the other one said it wasn’t on the domain, but did work…
Hope this helps someone out there!
Recently at work we have been rolling out Credential Guard on our Windows clients. I didn’t know that much about it, so I did some research: https://www.youtube.com/watch?v=urqXgBbVyWY this is a decent video that goes over what Credential Guard does. The high level bits are; it uses Hyper-V to create a secure container that holds your credentials. Then if your main Windows environment is compromised, in theory, the badie cant see your network hash and use it to gain access to stuff. This is just a quick post in case you haven’t heard or dug into a cool new security feature.
There are a few requirements to run Credential Guard, the first is you need Intel or AMD hardware support for virtualization which basically any system in the last 5+ years should easily have. You also have to be running with UEFI and Secure Boot enabled. Both are a good idea anyway, its 2020. This Microsoft page has a PowerShell script you can use to test if your machine is ready and enable bits you need on Windows, https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage .
The easiest way to check if its working, or even configured is to type “msinfo32” in the start menu. Then you can see which security tools are running and which are just configured. This is a nice panel because you can easily see if SecureBoot and Credential Guard are working. There are lots of guides on how to get this working, I want to go over some of the caveats to running this.
Caveat 1: Credential Guard breaks Single Sign On for 802.1x connections. This forces you to use certificate auth with User/Machine level certs. https://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html for more on that.
Caveat 2: Be careful with your motherboard. I have an AMD system I deployed this on, to get SecureBoot working I had to disable CSM (Compatibility Support Module), and after rebooting not only did my keyboard not want to work, but I had to enter my Bitlocker recovery key. That I should have remembered since I made a UEFI change. The keyboard issue seems to be the B350 motherboard in Fast Boot mode has issues with some USB keyboards. After disabling FastBoot that I got it working happily. With an NVME drive, letting the machine fully load each time and not using fast booting only delays the system a couple of seconds, but lets all the devices initialize.