cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

110
Views
0
Helpful
1
Replies
Cisco Employee

Combining or chaining root and intermediate certs in ISE

Hello,

We have a customer having issues with endpoints that do not have the intermediate or root certs downloaded previously on their system. This prevents their access because they can not make the chain to the root to say that the domain's guest portal cert is valid.

Some other NAC solutions allow the chaining of multiple certificate public keys in the same file, not sure if that is doable in ISE?

Thank you!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Combining or chaining root and intermediate certs in ISE

For ISE, we usually import first the root CA certificate into the Trusted Certificates store, followed by any intermediate CA certificates into the same store, and finally import the portal certificate as a system certificate and designate it with a portal tag. This way ISE should be able to build and send the full chain to the endpoints.

If root or intermediate CA certificates imported after the system certificate, then ISE services need a restart for it to send the full chain.

If it does not work as the above, please engage TAC to troubleshoot.

1 REPLY 1
Cisco Employee

Re: Combining or chaining root and intermediate certs in ISE

For ISE, we usually import first the root CA certificate into the Trusted Certificates store, followed by any intermediate CA certificates into the same store, and finally import the portal certificate as a system certificate and designate it with a portal tag. This way ISE should be able to build and send the full chain to the endpoints.

If root or intermediate CA certificates imported after the system certificate, then ISE services need a restart for it to send the full chain.

If it does not work as the above, please engage TAC to troubleshoot.