07-19-2019 11:25 AM
We have configured SCEP for AP 2800's. The AP's have obtained the correct certificates and CA from CA-1.
The AP's now try and authenticate to ISE via EAP-TLS on the wired switchport. The ISE certificate used for this authentication is signed by CA-2.
We're getting an error message that the client (AP) rejected the ISE local certificate.
Usually this means the client (AP) is validating the server (ISE) before EAP-TLS.I believe it is failing due to the AP not having CA-2 installed as trusted. We did a test with the AP and ISE having CA-1 as their CA and everything works fine. Based on this:
1. Is there a way to disable the AP of validating the ISE server as a trusted server when it is configured for LSC?
2. If not, is there a way to import another CA during the SCEP enrollment process? It would receive the CA-1 cert, device cert, and then CA-2 cert?
Solved! Go to Solution.
07-19-2019 01:22 PM
07-19-2019 12:02 PM
07-19-2019 01:22 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: