cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

617
Views
0
Helpful
7
Replies
Cisco Employee

ISE 2.3 and certificate chain for EAP-TLS service

Hi,

Is there a way to configure ISE not to send the full certificate chain during the Server Hello phase ?

My supplicant is a sensor with very limited memory and can't store a full certificate chain.

Thanks.

Everyone's tags (3)
7 REPLIES 7
Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

I would suggest to use a self-signed certificate for EAP, then.

Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

HI,

Unfortunately, this is not an acceptable solution. The same Root CA will also issue the certificates for the endpoints.

Are you saying there Is no way to change this behavior ?

Thanks,

Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

EAP clients and servers need not using the same certificate chains. We only need clients and servers to trust each other's certificates.

If ISE server certificates use different chains for admin HTTPS, end-user-facing portal HTTPS, and EAP. Then, you might be able to do it by not including the rest of the certificate chain of EAP into ISE trusted certificates store; that is, ISE would not send the full chain if it unable to build it.

Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

If I use an Intermediate CA to issue the certs for my clients, do I need to import both the intermediate and the root ca in ISE or just the Intermediate CA ?

As ISE certificate was issued by the Root, I can't import it so ISE will only send its certificate to the client.

Also could you confirm if there is a way to prevent ISE from sending the full chain of trust if it is available ? For instance on FreeRadius, you can use the SSL_MODE_NO_AUTO_CHAIN option.


Thanks

Highlighted
Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

FreeRADIUS got Support for SSL_MODE_NO_AUTO_CHAIN via community contribution.

If the clients are sending the full chain, then ISE needs the knowledge of the root CA to authenticate them. If the clients are sending only their end-entity certificates alone, then ISE needs the rest of the chain imported to verify the client certificates.

Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

Hi

I understand all of this. My question is if both ISE and the client are sharing the same root CA, I must import it so ISE can authenticate the client which sends only it's identity certificate. Can I also configure ISE at the same time not to send the root CA certificate during the server hello phase ?

Like I said in my previous post, there is an option in FreeRadius to do it so I'm looking for similar knob in ISE.

Thanks for your support.

Sent from my iPhone

Cisco Employee

Re: ISE 2.3 and certificate chain for EAP-TLS service

We will discuss this further offline.