Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
2
Replies

Cisco AP 802.1x EAP-TLS/LSC/SCEP enrollement with multiple CA's and ISE

Go to solution
j.ridgers
Level 1
Level 1

‎07-19-2019 11:25 AM

We have configured SCEP for AP 2800's. The AP's have obtained the correct certificates and CA from CA-1.

The AP's now try and authenticate to ISE via EAP-TLS on the wired switchport. The ISE certificate used for this authentication is signed by CA-2.

 

We're getting an error message that the client (AP) rejected the ISE local certificate.

 

Usually this means the client (AP) is validating the server (ISE) before EAP-TLS.I believe it is failing due to the AP not having CA-2 installed as trusted. We did a test with the AP and ISE having CA-1 as their CA and everything works fine. Based on this:

 

1. Is there a way to disable the AP of validating the ISE server as a trusted server when it is configured for LSC?

2. If not, is there a way to import another CA during the SCEP enrollment process? It would receive the CA-1 cert, device cert, and then CA-2 cert?

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-19-2019 01:22 PM

Point 1 is not an option in EAP-TLS.
Point 2 : Check this out : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1808 . If this does not help, please post this request in the wireless forum.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-19-2019 12:02 PM

Does ISE have the trusted chain of the AP cert installed in its trusted certificates store?

Otherwise might be best to ask the wireless forum
0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-19-2019 01:22 PM

Point 1 is not an option in EAP-TLS.
Point 2 : Check this out : https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-2/config-guide/b_cg82/b_cg82_chapter_01001.html#ID1808 . If this does not help, please post this request in the wireless forum.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents