Solved: Re: ISE 2.2 Certificates

Andy Guley · ‎05-17-2019

The certificates on my ISE servers expire at the end of June. I have two nodes that are doing authentication. The certificates will be used for EAP and wireless. We have a windows PKI setup and will be getting the certificates from that server.

If my client machines have the Root and Intermediate cert do they need the cert that is installed on the ISE servers for EAP as well? The current cert doesnt appear on the windows machines.

hslai · ‎05-17-2019

Usually not required. Please check the settings for [ ] Verify the server's identity by validating the certificate and Trusted Root Certificate Authorities in the EAP properties of the Windows supplicants. They might have been defined and enforced via a GPO. See Certificate issues with RADIUS connection on W10 clients

View solution in original post

hslai · ‎05-17-2019

Usually not required. Please check the settings for [ ] Verify the server's identity by validating the certificate and Trusted Root Certificate Authorities in the EAP properties of the Windows supplicants. They might have been defined and enforced via a GPO. See Certificate issues with RADIUS connection on W10 clients

Arne Bier · ‎05-21-2019

Windows and Android can be made to relax the rule to not care about the Radius server cert. But just because you can do this doesn't mean it's a good idea. In fact it's a very bad idea. You're allowing someone to perform a man in the middle attack by potentially spoofing the Radius server (with the hacker's, since your clients don't care to whom they are connecting). Bad news in my opinion.