topic Re: ISE - Two end user certificates in Network Access Control

ISE - Two end user certificates

jphilp — Tue, 06 Jun 2017 17:40:18 GMT

Does anyone know if it is possible to have two end user certificates on an ISE in order to carry out EAP-TLS to devices from two different CA's - i.e. WLAN 1 uses certificates from one CA and WLAN 2 using certificates from a totally separate CA?

When I try and bind the CSR's from the second CA, the ISE tells me that I can only have one system cert used for EAP and the existing one will be replaced.

Many thanks

John

Re: ISE - Two end user certificates

Jason Kunst — Tue, 06 Jun 2017 17:45:13 GMT

You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.

Re: ISE - Two end user certificates

jphilp — Tue, 06 Jun 2017 17:49:27 GMT

Yes that is exactly what I'm trying to do Jason.

I think you are right - unless someone out there has had experience of getting this working?

Re: ISE - Two end user certificates

hslai — Tue, 06 Jun 2017 20:49:45 GMT

Please review How To: Implement ISE Server-Side Certificates

If simply needing ISE to auth endpoints signed by multiple certificate authority chains, then we need only import the individual certificates from the various chains to the trusted certificate store and marked as trusted for client authentications. You are correct that ISE supports only one single system certificate per ISE node used for the EAP server. There is an enhancement request to what you are asking but that is only needed for the use cases where the clients not wanting to trust EAP servers signed by other CAs so that is a corner case. If that is something you would us to implement, please ask your account team to discuss it with our product management team.

Re: ISE - Two end user certificates

dazza_johnson — Wed, 07 Jun 2017 06:33:38 GMT

I'd like to see this too and technically there is no reason why it can't be done. You can do it with Portals (multiple certificates), be good for EAP too.

Re: ISE - Two end user certificates

hslai — Wed, 07 Jun 2017 22:07:36 GMT

If you know any EAP server able to use two certificates, please let us know.

It's not as easy as ISE end-user facing portals, such as ISE guest portals, because the user browsers can go to different combination of FQDNs and ports and ISE is currently able to provide a different certificate for each port, as this is a fairly standard way for secure web sites. Even for web portals, ISE is not supporting server name indication (SNI) so we have to use different ports. There is nothing like such for EAP protocols, AFAIK.

In fact, you could in theory to simulate the same by directing your network devices to different PSNs and each uses a system certificate, either signed by CA-1 or by CA-2.

Re: ISE - Two end user certificates

gbekmezi-DD — Thu, 08 Jun 2017 23:39:57 GMT

Can we support different EAP certificates per interface?

Re: ISE - Two end user certificates

hslai — Fri, 09 Jun 2017 00:38:02 GMT

No. One EAP certificate per ISE PSN. If you need two, then use two different PSNs.

Re: ISE - Two end user certificates

jphilp — Fri, 09 Jun 2017 08:22:21 GMT

Correct. I tried this on our PSN and it took the EAP role off the existing certificate just leaving EAP assigned to the new certificate.

Re: ISE - Two end user certificates

mikoconn — Thu, 19 Apr 2018 16:54:22 GMT

So if I have an ISE cluster with two distinct organistions where endpoints don't trust a common CA, I can partition my PSNs such that some are used for Org 1 with a server cert from CA1 and the other PSNs used for Org 2 with server cert from CA2?

NADs from Org 1 are configured to use PSNs for Org 1, and similar arrangement for other org.

Limitation that any endpoints from Org 1 that connect to a NAD in Org 2 would still fail the certificate trust.

Assumes that admin and intra-cluster traffic uses a common cert from CA1.