07-19-2019 11:25 AM
We have configured SCEP for AP 2800's. The AP's have obtained the correct certificates and CA from CA-1.
The AP's now try and authenticate to ISE via EAP-TLS on the wired switchport. The ISE certificate used for this authentication is signed by CA-2.
We're getting an error message that the client (AP) rejected the ISE local certificate.
Usually this means the client (AP) is validating the server (ISE) before EAP-TLS.I believe it is failing due to the AP not having CA-2 installed as trusted. We did a test with the AP and ISE having CA-1 as their CA and everything works fine. Based on this:
1. Is there a way to disable the AP of validating the ISE server as a trusted server when it is configured for LSC?
2. If not, is there a way to import another CA during the SCEP enrollment process? It would receive the CA-1 cert, device cert, and then CA-2 cert?
Solved! Go to Solution.
07-19-2019 01:22 PM
07-19-2019 12:02 PM
07-19-2019 01:22 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide