https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583918#M573814 <P>I got it. The problem is that even fragmented the device can´t handle the whole chain due lack of memory. Well, as asked a freind who is ISE expert and he told me not be possible.&nbsp; ISE will send the full chain.</P><P>&nbsp;</P> Fri, 01 Apr 2022 14:42:24 GMT Flavio Miranda 2022-04-01T14:42:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583864#M573809 <P>Hello experts,</P><P>&nbsp;</P><P>is there a possibility to influence the length/number of certificates for server validation in Cisco-ISE?</P><P>My tests with Cisco-ISE ver 2.7 and 3.1 have shown that Cisco-ISE always sends out the full chain of trust in the TLS "Hello Server" message&nbsp;to the supplicant for EAP-TLS authentication.</P><P>I.e. in only one TLS message everything is transferred from RootCA to server certificate.</P><P>&nbsp;</P><P>In a concrete scenario, this message is 9199 Bytes long and is unfortunately a bit too long for an IoT radio modul.</P><P>&nbsp;</P><P>Is there a way to instruct Cisco-ISE to send a shortened chain for server validation for certain supplicants, without RootCA (and IntermediateCA) certificate for example?</P><P>The IoT Radio module has a copy of the server RootCA (and IntermediateCA) certificate in its memory anyway for validation purposes.&nbsp;</P><P>&nbsp;</P><P>Unfortunately, I cannot change anything in the existing PKI.</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P> Fri, 01 Apr 2022 14:15:14 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583864#M573809 Malex 2022-04-01T14:15:14Z https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583872#M573810 <P>Not a ISE expert here but from the network point of view this should not be a problem. unless you are allowing jumbo frame, there might be fragmentation.</P> Fri, 01 Apr 2022 13:47:43 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583872#M573810 Flavio Miranda 2022-04-01T13:47:43Z https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583888#M573811 <P>Thank you Flavio.</P><P>&nbsp;</P><P>On the network level everything works, as screenshort in the attachment shows (logged in with IPhone).</P><P>The problem is that IoT radio module has too small rx buffer to load the whole "hello server" message in one piece.</P><P>I need to find a way to shorten "hello server" message.</P> Fri, 01 Apr 2022 14:08:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583888#M573811 Malex 2022-04-01T14:08:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583918#M573814 <P>I got it. The problem is that even fragmented the device can´t handle the whole chain due lack of memory. Well, as asked a freind who is ISE expert and he told me not be possible.&nbsp; ISE will send the full chain.</P><P>&nbsp;</P> Fri, 01 Apr 2022 14:42:24 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-eap-tls-remove-rootca-from-server-validation-chain/m-p/4583918#M573814 Flavio Miranda 2022-04-01T14:42:24Z