topic ISE 1.1.4 Can't run multiple signed CA's in the store in Network Access Control https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218869#M126626 <HTML><HEAD></HEAD><BODY><P>anytime. keep this thread updates if you face any further issues.</P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Sat, 08 Jun 2013 09:24:30 GMT Jatin Katyal 2013-06-08T09:24:30Z ISE 1.1.4 Can't run multiple signed CA's in the store https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218864#M126427 <P>Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...)&nbsp; </P><P></P><P>As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).</P><P></P><P>Has anyone else run into this issue? </P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P><P></P><P></P><P></P><P>The box said 'Requires Windows XP or better'. So I installed LINUX...&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 03:30:56 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218864#M126427 desmanicholson 2019-03-11T03:30:56Z ISE 1.1.4 Can't run multiple signed CA's in the store https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218865#M126461 <HTML><HEAD></HEAD><BODY><P>It is correct that you can only have one Cert for EAP and one for HTTPS; this is the case for all 1.1.X versions of ISE.</P><P></P><P>Why don't you just use one Cert for all of your EAP functions?</P></BODY></HTML> Thu, 06 Jun 2013 06:37:41 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218865#M126461 Richard Atkin 2013-06-06T06:37:41Z ISE 1.1.4 Can't run multiple signed CA's in the store https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218866#M126505 <HTML><HEAD></HEAD><BODY><P><SPAN>I guess you're using 2 different CA's becuase you want to use certificate signed with SHA256 RSA signature however IP phones 7925 doesn't support or work with SHA256 so you want to use SHA1 for phones only. We had this discussion in the below listed link: </SPAN><A class="jive-link-external-small" href="https://community.cisco.com/thread/2165566">https://supportforums.cisco.com/thread/2165566</A></P><P></P><P>Yes, ISE can use only one cert for eap chaining and one for https.</P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Thu, 06 Jun 2013 08:43:52 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218866#M126505 Jatin Katyal 2013-06-06T08:43:52Z ISE 1.1.4 Can't run multiple signed CA's in the store https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218867#M126561 <HTML><HEAD></HEAD><BODY><P>Thanks for the response, unfortunately policy doesn't allow for mixed mode (ie..sha1 for 7925's and sha256) for data. since the 7900 series wired and 7925g wireless can run sha256 we had to find a 3rd party hosted pki solution. Spoke with a Cisco ISE Engineer and he verified the configurations aren't granular enough to be able to direct traffic to the proper cert and protocol. The one that's active is the one that will be used. </P><P></P><P>Cisco 7925 wireless new model that can acept a sha256 isn't coming until 2014 so i've heard and now sure when the wired desktop units will be able to handle sha256. Kinda leaves you in a pickle when architecting because it adds 2 PSN's automatically for HA/DR</P><P></P><P></P><P>The box said 'Requires Windows XP or better'. So I installed LINUX...</P></BODY></HTML> Thu, 06 Jun 2013 12:27:00 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218867#M126561 desmanicholson 2013-06-06T12:27:00Z ISE 1.1.4 Can't run multiple signed CA's in the store https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218868#M126592 <HTML><HEAD></HEAD><BODY><P>That is exactly correct..Thanks for the link, I will check it out...</P><P></P><P></P><P>The box said 'Requires Windows XP or better'. So I installed LINUX...</P></BODY></HTML> Thu, 06 Jun 2013 12:27:35 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218868#M126592 desmanicholson 2013-06-06T12:27:35Z ISE 1.1.4 Can't run multiple signed CA's in the store https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218869#M126626 <HTML><HEAD></HEAD><BODY><P>anytime. keep this thread updates if you face any further issues.</P><P></P><P></P><P>Jatin Katyal <BR /> - Do rate helpful posts -</P></BODY></HTML> Sat, 08 Jun 2013 09:24:30 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-4-can-t-run-multiple-signed-ca-s-in-the-store/m-p/2218869#M126626 Jatin Katyal 2013-06-08T09:24:30Z