topic ISE multiple EAP certificates support in Network Access Control

ISE multiple EAP certificates support

SMD28316 — Thu, 18 Nov 2021 12:43:10 GMT

Can I have different policies point to different certificates for authentication with EAP? when I try to create a different EAP certificate I get a message saying that the already available EAP certificate will be replaced.

If this is not supported are there any plans to support this?

Re: ISE multiple EAP certificates support

balaji.bandi — Thu, 18 Nov 2021 18:06:21 GMT

I do not belive single ISE can have 2 Certs same time.

Re: ISE multiple EAP certificates support

thomas — Tue, 30 Nov 2021 22:56:35 GMT

Only one ISE server certificate is supported for all EAP-based authentications currently.

ISE can authenticate endpoint certificates from different CAs using Certificate Profiles.

Re: ISE multiple EAP certificates support

cklam — Fri, 11 Nov 2022 20:49:21 GMT

If you have a ISE cluster, can Node 1 use CA/Cert 1 for EAP and Node 2 use CA/Cert 2 for EAP? Reason: Our current CA is expiring and we want to gently migrate to a new CA. If we can have both CAs and certs active, we run in parallel until the CA expires.

Re: ISE multiple EAP certificates support

Rob Ingram — Fri, 11 Nov 2022 21:22:57 GMT

@cklam that doesn't sound practical, the authentication request could go to either PSN - so therefore the client must trust both CAs that sign the respective EAP Cert, otherwise it would error.

Re: ISE multiple EAP certificates support

cklam — Fri, 11 Nov 2022 22:00:10 GMT

Our supplicant (cat/eduroam) can offer both CAs. So, the client will be trusting both. I am concerned that we would see fails as clients try one ISE server fail and then move to the next one which contains the winning CA/cert. If we cannot do this, then we can test on a staging server and then do a hard cutover when the original CA expires.

Re: ISE multiple EAP certificates support

Rob Ingram — Fri, 11 Nov 2022 22:07:29 GMT

@cklam the client authentication request is sent to one server, it won't move to the next if the authentication request was denied on the first. If the client supplicant trusts both CA's then there shouldn't be a problem to cutover the EAP certs on all PSNs to the new CA.

Re: ISE multiple EAP certificates support

Fan2023 — Mon, 23 Oct 2023 14:44:41 GMT

Hi Thomas, do you mind pointing me to some official Cisco documents on how to do this "ISE can authenticate endpoint certificates from different CAs using Certificate Profiles"? I was planning on migrating from one internal CA to another and would like our ISE to be able to authenticate endpoint certificates from the two CAs at the same time during the migration, but I was told this was not supported. Thank you very much for your time.