https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440179#M510273 <HTML><HEAD></HEAD><BODY><P>Yes.&nbsp; it is possible.</P><P>first of all you need to import the Root CA (issuer CA) into ISE ( under Trusted Certificate page)</P><P></P><P>You need create two rules under policy for <SPAN style="font-size: 10.0pt; font-family: Arial, sans-serif;">AD CA for users' mobile device&nbsp; and <SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">IoT devices.</SPAN></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;"><BR /></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">ISE has several attributes to differentiate&nbsp; these two flows&nbsp; ( e.g. BYODRegistration flag&nbsp;&nbsp; for BYOD flow&nbsp; or using Certificate (Issuer CA) attributes,device location or group ...)</SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;"><BR /></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">here is an example:</SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;"><BR /></SPAN></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/116844_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P><DIV> </DIV><DIV>YYes</DIV><DIV>HTH,</DIV></BODY></HTML> Wed, 02 May 2018 09:08:24 GMT smashash 2018-05-02T09:08:24Z https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440177#M510271 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">Hi there, Customer has two separate sets of devices that they want to implement certificated based authentication via ISE. One is their users' mobile devices (BYOD scenario). The other is their IoT devices (Yes, these devices are cert ready). They want to use two different CAs <SPAN style="font-family: Arial, sans-serif;">(AD CA for users' mobile device while ISE CA for IoT device). Is this possible and how to do that? Thanks. - William</SPAN></SPAN></P></BODY></HTML> Wed, 02 May 2018 08:04:35 GMT https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440177#M510271 wingai 2018-05-02T08:04:35Z https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440178#M510272 <HTML><HEAD></HEAD><BODY><P>Yes it is ,look here <A href="https://community.cisco.com/docs/DOC-64014">ISE Certificate Authority (CA)</A> </P></BODY></HTML> Wed, 02 May 2018 08:59:51 GMT https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440178#M510272 ognyan.totev 2018-05-02T08:59:51Z https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440179#M510273 <HTML><HEAD></HEAD><BODY><P>Yes.&nbsp; it is possible.</P><P>first of all you need to import the Root CA (issuer CA) into ISE ( under Trusted Certificate page)</P><P></P><P>You need create two rules under policy for <SPAN style="font-size: 10.0pt; font-family: Arial, sans-serif;">AD CA for users' mobile device&nbsp; and <SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">IoT devices.</SPAN></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;"><BR /></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">ISE has several attributes to differentiate&nbsp; these two flows&nbsp; ( e.g. BYODRegistration flag&nbsp;&nbsp; for BYOD flow&nbsp; or using Certificate (Issuer CA) attributes,device location or group ...)</SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;"><BR /></SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;">here is an example:</SPAN></P><P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif;"><BR /></SPAN></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/116844_pastedImage_1.png" style="max-width: 1200px; max-height: 900px;" /></P><DIV> </DIV><DIV>YYes</DIV><DIV>HTH,</DIV></BODY></HTML> Wed, 02 May 2018 09:08:24 GMT https://community.cisco.com/t5/network-access-control/using-different-cas-for-different-devices-cert-based/m-p/3440179#M510273 smashash 2018-05-02T09:08:24Z