cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

86
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE 2.2 Certificates

The certificates on my ISE servers expire at the end of June.  I have two nodes that are doing authentication.  The certificates will be used for EAP and wireless.  We have a windows PKI setup and will be getting the certificates from that server.

 

If my client machines have the Root and Intermediate cert do they need the cert that is installed on the ISE servers for EAP as well?  The current cert doesnt appear on the windows machines.  

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE 2.2 Certificates

Usually not required. Please check the settings for [ ] Verify the server's identity by validating the certificate and Trusted Root Certificate Authorities in the EAP properties of the Windows supplicants. They might have been defined and enforced via a GPO. See Certificate issues with RADIUS connection on W10 clients

2 REPLIES 2
Cisco Employee

Re: ISE 2.2 Certificates

Usually not required. Please check the settings for [ ] Verify the server's identity by validating the certificate and Trusted Root Certificate Authorities in the EAP properties of the Windows supplicants. They might have been defined and enforced via a GPO. See Certificate issues with RADIUS connection on W10 clients

VIP Advocate

Re: ISE 2.2 Certificates

Windows and Android can be made to relax the rule to not care about the Radius server cert.  But just because you can do this doesn't mean it's a good idea. In fact it's a very bad idea.  You're allowing someone to perform a man in the middle attack by potentially spoofing the Radius server (with the hacker's, since your clients don't care to whom they are connecting).  Bad news in my opinion.