topic different certs used for eap on endpoint attached to switch port in Network Access Control https://community.cisco.com/t5/network-access-control/different-certs-used-for-eap-on-endpoint-attached-to-switch-port/m-p/3759704#M487395 <P>Forwarding question: Currently the workstations have been configured are all working fine with a legacy SHA1 certificate and PEAP-TLS but the Avaya ip phones do not authenticate with the error “12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate”.<BR /><BR />One issue is that the phones currently use a SHA256 certificate for EAP-TLS and the workstations use SHA1. We are due to upgrade to SHA256 for the workstations in the coming months but have an issue with compatibility as currently a 4.2 ACS server which is currently in place does not work on 2008R2 potentially breaking our radius authentications.<BR /><BR />So the plan was to replace ACS with ISE and then upgrade the certificate server when we hit the current issue. Is it possible to have 2 different EAP-TLS authentication certificates? I did attempt this but when I go to bind the cert ISE states that this will override the current binding. Otherwise is there a temporary solution to MAB the ip phones and dot1x the workstations?</P> Fri, 07 Dec 2018 17:15:24 GMT mpeeters 2018-12-07T17:15:24Z different certs used for eap on endpoint attached to switch port https://community.cisco.com/t5/network-access-control/different-certs-used-for-eap-on-endpoint-attached-to-switch-port/m-p/3759704#M487395 <P>Forwarding question: Currently the workstations have been configured are all working fine with a legacy SHA1 certificate and PEAP-TLS but the Avaya ip phones do not authenticate with the error “12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate”.<BR /><BR />One issue is that the phones currently use a SHA256 certificate for EAP-TLS and the workstations use SHA1. We are due to upgrade to SHA256 for the workstations in the coming months but have an issue with compatibility as currently a 4.2 ACS server which is currently in place does not work on 2008R2 potentially breaking our radius authentications.<BR /><BR />So the plan was to replace ACS with ISE and then upgrade the certificate server when we hit the current issue. Is it possible to have 2 different EAP-TLS authentication certificates? I did attempt this but when I go to bind the cert ISE states that this will override the current binding. Otherwise is there a temporary solution to MAB the ip phones and dot1x the workstations?</P> Fri, 07 Dec 2018 17:15:24 GMT https://community.cisco.com/t5/network-access-control/different-certs-used-for-eap-on-endpoint-attached-to-switch-port/m-p/3759704#M487395 mpeeters 2018-12-07T17:15:24Z Re: different certs used for eap on endpoint attached to switch port https://community.cisco.com/t5/network-access-control/different-certs-used-for-eap-on-endpoint-attached-to-switch-port/m-p/3759766#M487397 You cannot have two different certificates for EAP on a single ISE server.<BR /><BR />You can check with Avaya support if there is a way to stop the phones from talking EAP (doing dot1x). If they can, then yes, you can have the phones do MAB and the PCs will continue to do dot1x. Fri, 07 Dec 2018 19:22:05 GMT https://community.cisco.com/t5/network-access-control/different-certs-used-for-eap-on-endpoint-attached-to-switch-port/m-p/3759766#M487397 Surendra 2018-12-07T19:22:05Z