Import EAP-cert in Cisco ISE 3.3

trondaker — Sun, 16 Feb 2025 14:00:13 GMT

Hi,

Getting a weird error in ISE 3.3 when importing the signed cert from our old deployment that we use for EAP. The import worked fine on the first node, but the cert did not show up on the other nodes (signed cert for guest automatically imported to all nodes). When i try to import for node 2, i get the following error:

ISE cannot import a local certificate with the same Issuer CN and serial number as an existing certificate, yet the Issuers of the two certificates differ.

This is exactly the same cert that worked on node 1, so why does it say that the Issuers differ?

Re: Import EAP-cert in Cisco ISE 3.3

Arne Bier — Sun, 16 Feb 2025 20:35:06 GMT

That does sound odd. The same EAP System Cert should be importable on multiple nodes, from what I recall. I tend to create a unique cert per node, and ensure there is no wildcard either in the Subject or SAN.

Usually ISE is quite reliable with regards to cert management. Have you examined the certs with openssl and looked closely at the Serial number and Issuer details? Perhaps there is a clash:

openssl x509 -in <certname.pem> -text

topic Re: Import EAP-cert in Cisco ISE 3.3 in Network Access Control

Import EAP-cert in Cisco ISE 3.3

Re: Import EAP-cert in Cisco ISE 3.3