topic Re: Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE in Network Access Control

Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

matthen — Mon, 11 Mar 2019 08:50:07 GMT

I have a customer that is migrating from an existing external CA to a new external CA. They're currently using their existing CA for EAP-TLS and they want to add the new CA to ISE, so essentially authenticate with both CAs during the migration. Can they just add the cert chain for the new CA, generate and sign a CSR, import the new cert, and mark it to be used for authentication? Is there anything else that needs to be done or any design considerations that they need to be aware of?

Re: Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

gbekmezi-DD — Fri, 28 Sep 2018 15:44:00 GMT

That’s pretty much it. If you don’t care which CA issued the client’s certificate you shouldn’t have to do anything else.

Re: Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

thomas — Sun, 30 Sep 2018 19:09:38 GMT

Yes, you can change the ISE cert with the simple import for authentication and it will be fine.

The only other consideration is will your endpoints trust the new cert chain?

If the endpoints do not have the new CA in their trusted store they may reject any authentication attempts from ISE signed by the new CA.