topic Re: two different certificates ise 2.2 in Network Access Control

two different certificates ise 2.2

nstr1 — Fri, 25 May 2018 19:05:38 GMT

I can have two different certificates for web auth in ise 2.2 and that the devices choose either of the two ??

Re: two different certificates ise 2.2

Jason Kunst — Fri, 25 May 2018 19:10:12 GMT

Can you please explain further? We don’t support certificate based web authentication.

Re: two different certificates ise 2.2

nstr1 — Fri, 25 May 2018 19:16:04 GMT

it's not for web auth, it's for 802.1x

Re: two different certificates ise 2.2

Arne Bier — Sun, 27 May 2018 22:10:16 GMT

hen configuring an ISE PSN for the purposes of EAP processing, you can only install one certificate that identifies that server. If you have more than one PSN then you could install the second cert on that PSN - but then you have the challenge of ensuring that the NAS sends the traffic to the appropriate PSN - this may be possible if the traffic comes from two distinct networks (e.g. two SSID's). You'd need to explain your setup a bit more.

But in general it sounds not doable, because the EAP standard is designed such, that the EAP Server responds to the client with its X.509 certificate during EAP Client/Server negotiation. How can the server know which of the two (or more) certs to offer to the client? EAP servers don't have multiple personalities 🙂

The only practical thing you could do is to turn off the server check on the client (e.g. don't care about validating the server cert). This reduces security but it would offer a solution.

Re: two different certificates ise 2.2

Jason Kunst — Mon, 28 May 2018 00:29:34 GMT

its still not clear what you’re asking