Solved: EAP-TLS for two endpoints using internal Certificates signed by different CAs

MohaLeen1 · ‎02-17-2020

A client has an existing ISE 2.4 setup doing Cert Auth for Windows 7 machines using SSID-A, this is currently working fine. They are in the process of migrating to windows 10 where they have built a new internal CA

Initial thought on migration is to
Install new root CA in the trusted CA Certificate store on ISE
Generate and install signed CA for ISE and Assign it for EAP Auth
Amend policies to accept Client authenticating using the new Cert
Test connectivity on the same SSID-A using a Windows 10 machine

All this needs to be done without affecting the existing Windows 7 setup, I assumed this would be straightforward. However, after reading a few posts on the community I am getting conflicting information, where some have suggested that this isn't possible/supported by ISE

https://community.cisco.com/t5/identity-services-engine-ise/ise-two-end-user-certificates/td-p/3529859
https://community.cisco.com/t5/identity-services-engine-ise/different-certs-used-for-eap-on-endpoint-attached-to-switch-port/m-p/3759766#M21467
https://community.cisco.com/t5/policy-and-access/eap-tls-for-two-domains-on-cisco-ise/td-p/3315813

I would like to get a definitive answer on the feasibility or lack of. A technical explanation of why would be a bonus, if its not possible, is there a plan to support this in any future release?

Many thanks

Greg Gibbs · ‎02-17-2020

As stated in the other posts, an ISE PSN can only have one identity certificate bound to the EAP function. If you were to create a CSR signed by your new CA and bind it to the the EAP function on the PSN, it would replace the old certificate for EAP.

That said, what you are trying to accomplish is still possible. EAP-TLS requires mutual authentication of both the client and server, so the client has to trust the cert presented by the server (ISE) and the server has to trust the cert presented by the client.

As long the trust chains (Root and Intermediate CA certificates) used for both the Windows 7 and 10 client certificates are in the ISE Trusted Certificates store, ISE should trust both client certificates. You typically would not need to change any AuthC/AuthZ policies in ISE as long as your Certificate Auth Profile captures the correct Subject attribute for identity (Common Name, Subject Alt Name, etc) and you're not using an attribute in the current client certificate as a matching condition (Issuing CA, etc) for some specific reason.

Prior to changing the ISE EAP certificate, however, you would want to ensure that you install the new CA trust chain in all of your Windows 7 PCs via GPO to ensure that they will trust the new EAP certificate that will be presented by the server after the change.

Cheers,

Greg

View solution in original post

Greg Gibbs · ‎02-17-2020

As stated in the other posts, an ISE PSN can only have one identity certificate bound to the EAP function. If you were to create a CSR signed by your new CA and bind it to the the EAP function on the PSN, it would replace the old certificate for EAP.

That said, what you are trying to accomplish is still possible. EAP-TLS requires mutual authentication of both the client and server, so the client has to trust the cert presented by the server (ISE) and the server has to trust the cert presented by the client.

As long the trust chains (Root and Intermediate CA certificates) used for both the Windows 7 and 10 client certificates are in the ISE Trusted Certificates store, ISE should trust both client certificates. You typically would not need to change any AuthC/AuthZ policies in ISE as long as your Certificate Auth Profile captures the correct Subject attribute for identity (Common Name, Subject Alt Name, etc) and you're not using an attribute in the current client certificate as a matching condition (Issuing CA, etc) for some specific reason.

Prior to changing the ISE EAP certificate, however, you would want to ensure that you install the new CA trust chain in all of your Windows 7 PCs via GPO to ensure that they will trust the new EAP certificate that will be presented by the server after the change.

Cheers,

Greg