topic Re: EAP-TLS and PEAP certificates in ISE in Network Access Control

Re: EAP-TLS and PEAP certificates in ISE

alex.fana1 — Tue, 02 Jul 2019 16:45:39 GMT

Someone has told me that you can't use multiple subCA for EAPTLS authentication. Is this true?

Re: EAP-TLS and PEAP certificates in ISE

Mike.Cifelli — Tue, 02 Jul 2019 17:23:18 GMT

This question is rather vague. If you have clients (endpoints) with different certificates issued from different subCAs that will be used for eap-tls auth you will need to import both certificate chains into ISE trusted certificates and ensure they are trusted for authentication within ISE.

Re: EAP-TLS and PEAP certificates in ISE

alex.fana1 — Tue, 02 Jul 2019 17:42:10 GMT

To clarify. We have smartphones and laptops, the phones will have a CA1 and Laptops will have CA2, both with the same RootCA. I should be able to import both CAs and the RootCA and have these check which CA is valid for authentication. Correct?

Re: EAP-TLS and PEAP certificates in ISE

hslai — Tue, 02 Jul 2019 17:47:24 GMT

Yes.

Re: EAP-TLS and PEAP certificates in ISE

Arne Bier — Thu, 04 Jul 2019 09:24:07 GMT

It’s always useful to specify which cert is being discussed. Server cert (in ISE) or client cert (from client). The original post question may have heard/read that ISE only supports a single EAP server cert. that is true. ISE will always identify itself using the one and only EAP server cert. in most cases this is fine. But for customers who have mergers and acquisitions, having more than one server cert in the RADIUS server is handy. Clearpass 6.7 introduced that feature not too long ago.