https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289842#M97028 <HTML><HEAD></HEAD><BODY><P>Explain the issue in more detail. Are you trying to use Guest or 802.1x. THere are many authentication protocols that you could use for EAP. TLS and PEAP require the use the the cert. What you trying to accomplish and what are the issues?</P><P></P><P></P><P>Jim Thomas <BR />Cisco Security Course Director <BR />Global Knowledge <BR />CCIE Security #16674</P></BODY></HTML> Thu, 17 Oct 2013 19:25:56 GMT Jim Thomas 2013-10-17T19:25:56Z https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289840#M97017 <P>I've installed GoDaddy server certificates on all my ISE 1.1.1 nodes, but clients are still getting error and accepting certificates.&nbsp; I would like to just remove EAP from the certificate and not use any certificate for EAP.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 04:00:22 GMT https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289840#M97017 rdotson 2019-03-11T04:00:22Z https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289841#M97023 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I'm pretty sure that you have to use a certificate for EAP whether it is a self-signed one or an internal CA or 3rd party certificate, but I could be wrong.&nbsp; To remove using EAP from your GoDaddy Certificate simply edit another certificate and check the box for EAP.&nbsp; The application server will restart and the new certificate will now be used for EAP.</P><P></P><P></P><P>If you get an error on Microsoft PCs saying somthing about the server not being a trusted NPS server then you can try adding the GoDaddy root certificate to your internal PKI NTAuth store. See this article:&nbsp; </P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/2518158?wa=wsignin1.0" rel="nofollow">http://support.microsoft.com/kb/2518158?wa=wsignin1.0</A></P></BODY></HTML> Thu, 17 Oct 2013 19:23:59 GMT https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289841#M97023 jj27 2013-10-17T19:23:59Z https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289842#M97028 <HTML><HEAD></HEAD><BODY><P>Explain the issue in more detail. Are you trying to use Guest or 802.1x. THere are many authentication protocols that you could use for EAP. TLS and PEAP require the use the the cert. What you trying to accomplish and what are the issues?</P><P></P><P></P><P>Jim Thomas <BR />Cisco Security Course Director <BR />Global Knowledge <BR />CCIE Security #16674</P></BODY></HTML> Thu, 17 Oct 2013 19:25:56 GMT https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289842#M97028 Jim Thomas 2013-10-17T19:25:56Z https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289843#M97038 <HTML><HEAD></HEAD><BODY><P> thank you for your answers.&nbsp; The issue was caused more by not having the root certificate from GoDaddy in the Certificate Store.&nbsp; I was able to move EAP to another self signed certificate like you suggested though.&nbsp;&nbsp; A call to TAC confirmed it all.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 17 Oct 2013 20:44:48 GMT https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289843#M97038 rdotson 2013-10-17T20:44:48Z https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289844#M97078 <HTML><HEAD></HEAD><BODY><P>so yes if you have "validate server certificate" option checked on your end clients then in order to authenticate with peap you should have the complete certificate chain installed on the end client under certificate store. With this option unchecked you can still authenticate without root/intermediate but that would not be a secure connection.</P><P></P><P>Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS</P><P><A class="jive-link-external-small" href="http://support.microsoft.com/kb/814394">http://support.microsoft.com/kb/814394</A></P><P></P><P>My 2 cents <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Fri, 18 Oct 2013 09:05:28 GMT https://community.cisco.com/t5/network-access-control/remove-eap-from-ise-server-certificate/m-p/2289844#M97078 Jatin Katyal 2013-10-18T09:05:28Z