HI,

Unfortunately, this is not an acceptable solution. The same Root CA will also issue the certificates for the endpoints.

Are you saying there Is no way to change this behavior ?

Thanks,

EAP clients and servers need not using the same certificate chains. We only need clients and servers to trust each other's certificates.

If ISE server certificates use different chains for admin HTTPS, end-user-facing portal HTTPS, and EAP. Then, you might be able to do it by not including the rest of the certificate chain of EAP into ISE trusted certificates store; that is, ISE would not send the full chain if it unable to build it.

If I use an Intermediate CA to issue the certs for my clients, do I need to import both the intermediate and the root ca in ISE or just the Intermediate CA ?

As ISE certificate was issued by the Root, I can't import it so ISE will only send its certificate to the client.

Also could you confirm if there is a way to prevent ISE from sending the full chain of trust if it is available ? For instance on FreeRadius, you can use the SSL_MODE_NO_AUTO_CHAIN option.

Thanks

FreeRADIUS got Support for SSL_MODE_NO_AUTO_CHAIN via community contribution.

If the clients are sending the full chain, then ISE needs the knowledge of the root CA to authenticate them. If the clients are sending only their end-entity certificates alone, then ISE needs the rest of the chain imported to verify the client certificates.

Hi

I understand all of this. My question is if both ISE and the client are sharing the same root CA, I must import it so ISE can authenticate the client which sends only it's identity certificate. Can I also configure ISE at the same time not to send the root CA certificate during the server hello phase ?

Like I said in my previous post, there is an option in FreeRadius to do it so I'm looking for similar knob in ISE.

Thanks for your support.

Sent from my iPhone

We will discuss this further offline.