cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

85
Views
0
Helpful
2
Replies
Highlighted
Beginner

Cisco AP 802.1x EAP-TLS/LSC/SCEP enrollement with multiple CA's and ISE

We have configured SCEP for AP 2800's. The AP's have obtained the correct certificates and CA from CA-1.

The AP's now try and authenticate to ISE via EAP-TLS on the wired switchport. The ISE certificate used for this authentication is signed by CA-2.

 

We're getting an error message that the client (AP) rejected the ISE local certificate.

 

Usually this means the client (AP) is validating the server (ISE) before EAP-TLS.I believe it is failing due to the AP not having CA-2 installed as trusted. We did a test with the AP and ISE having CA-1 as their CA and everything works fine. Based on this:

 

1. Is there a way to disable the AP of validating the ISE server as a trusted server when it is configured for LSC?

2. If not, is there a way to import another CA during the SCEP enrollment process? It would receive the CA-1 cert, device cert, and then CA-2 cert?

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco AP 802.1x EAP-TLS/LSC/SCEP enrollement with multiple CA's and ISE

Point 1 is not an option in EAP-TLS.
Point 2 : Check this out : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1808 . If this does not help, please post this request in the wireless forum.
2 REPLIES 2
Cisco Employee

Re: Cisco AP 802.1x EAP-TLS/LSC/SCEP enrollement with multiple CA's and ISE

Does ISE have the trusted chain of the AP cert installed in its trusted certificates store?

Otherwise might be best to ask the wireless forum
Cisco Employee

Re: Cisco AP 802.1x EAP-TLS/LSC/SCEP enrollement with multiple CA's and ISE

Point 1 is not an option in EAP-TLS.
Point 2 : Check this out : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1808 . If this does not help, please post this request in the wireless forum.