topic EAP Authentication Intermediate certificate renewal in Network Access Control

EAP Authentication Intermediate certificate renewal

Srinivasan Nagarajan — Mon, 27 Jul 2020 16:27:02 GMT

Hi Experts,

We've 2 small node deployment with the same certificate used for Admin and EAP authentication where one of the Intermediate cert in the certificate hierarchy is about to expire.

Root CA

----> Intermediate CA 1

-----> Intermediate CA 2 (About to expire)

----> Admin and EAP authentication cert

1.Importing the Intermediate CA2 in the ISE 'Trusted store' and rolling out to the users via GPO would it suffice...?

2.will it cause any service disruption or restart of the services...?

Can you please suggest the best practices if any..

Re: EAP Authentication Intermediate certificate renewal

Colby LeMaire — Tue, 28 Jul 2020 20:55:31 GMT

Double check your certificate and certificate chain. Your identity certificate should not have an expiration date that is later than your issuing CA certificate. Verify the serial numbers to ensure you are looking at the correct CA certificates.

Just adding a certificate to the trusted store will not cause a restart of services. But if you have to update your identity certificate used for admin, then that would restart the services.

Re: EAP Authentication Intermediate certificate renewal

Srinivasan Nagarajan — Wed, 29 Jul 2020 13:55:05 GMT

Hi Colby,

Thanks for the reply. Our renewal concern is only about the Inter.CA certs not the identity/server cert

We've already an Intermediate certificate which is about to expire (in less than 60days) and what are the procedures to be followed to renew the Intermediate certificate from the same CA without deleting the existing Inter.CA...

If we add the new Inter.CA in the trusted store from the same CA, will it accept when there is already an existing Inter.CA exists on the ISE...

Re: EAP Authentication Intermediate certificate renewal

Colby LeMaire — Wed, 29 Jul 2020 14:42:39 GMT

You can add additional Root/Intermediate CA certificates to the trusted store in ISE and that will not affect ISE at all. If you are correct that the new certificate would have a different expiration date, then it is a totally different Intermediate CA certificate and will add just fine. No services will be restarted.