topic Re: EAP-TLS with different root CA in Network Access Control

EAP-TLS with different root CA

umahar — Mon, 04 Jul 2016 11:00:33 GMT

Hello,

We have a customer who would like to deploy a different CA for EAP-TLS which is not part of the CA which signed the system certificates for ISE used for EAP. We will be importing this root CA in Trusted certificate store in ISE.

Would EAP-TLS be still successful (after throwing an unknown server warning ) if the endpoint is not trusting the server certificate ?

Does anyone see such deployment in production ?

Basically the customer wants to EAP-TLS for BYOD devices but does not want to use internal CA for certificate provisioning due to security reasons.

Re: EAP-TLS with different root CA

hslai — Tue, 05 Jul 2016 05:31:54 GMT

ISE BYOD supports external SCEP and CA, such as MS AD CS. ISE BYOD will provision the root CA of ISE EAP server certificate along with the endpoint certificate so it should not be an issue.

In general case of the endpoint not trusting the EAP server certificate but requiring it validated, then EAP-TLS will fail.

Re: EAP-TLS with different root CA

umahar — Thu, 07 Jul 2016 03:22:34 GMT

I tested this scenario on Windows and Iphone 5.

Windows could not connect throwing an error of client rejecting server certificate on ISE however Iphone was prompted to trust ISE certificate before it authenticated successfully.

We are not provisioning certificate out of band via an MDM so we will have to think of provisioning the ISE root CA as well.

Re: EAP-TLS with different root CA

Oliver Laue — Thu, 07 Jul 2016 06:28:56 GMT

The ISE represents his Admin Certificate during the Provisioning. This will cause your Error on Windows Clients.