02-07-2018 06:34 AM
Hi,
Is there a way to configure ISE not to send the full certificate chain during the Server Hello phase ?
My supplicant is a sensor with very limited memory and can't store a full certificate chain.
Thanks.
02-08-2018 08:54 AM
I would suggest to use a self-signed certificate for EAP, then.
02-08-2018 09:03 AM
HI,
Unfortunately, this is not an acceptable solution. The same Root CA will also issue the certificates for the endpoints.
Are you saying there Is no way to change this behavior ?
Thanks,
02-08-2018 09:15 AM
EAP clients and servers need not using the same certificate chains. We only need clients and servers to trust each other's certificates.
If ISE server certificates use different chains for admin HTTPS, end-user-facing portal HTTPS, and EAP. Then, you might be able to do it by not including the rest of the certificate chain of EAP into ISE trusted certificates store; that is, ISE would not send the full chain if it unable to build it.
02-09-2018 01:19 PM
If I use an Intermediate CA to issue the certs for my clients, do I need to import both the intermediate and the root ca in ISE or just the Intermediate CA ?
As ISE certificate was issued by the Root, I can't import it so ISE will only send its certificate to the client.
Also could you confirm if there is a way to prevent ISE from sending the full chain of trust if it is available ? For instance on FreeRadius, you can use the SSL_MODE_NO_AUTO_CHAIN option.
Thanks
02-10-2018 12:20 AM
FreeRADIUS got Support for SSL_MODE_NO_AUTO_CHAIN via community contribution.
If the clients are sending the full chain, then ISE needs the knowledge of the root CA to authenticate them. If the clients are sending only their end-entity certificates alone, then ISE needs the rest of the chain imported to verify the client certificates.
02-10-2018 06:07 AM
Hi
I understand all of this. My question is if both ISE and the client are sharing the same root CA, I must import it so ISE can authenticate the client which sends only it's identity certificate. Can I also configure ISE at the same time not to send the root CA certificate during the server hello phase ?
Like I said in my previous post, there is an option in FreeRadius to do it so I'm looking for similar knob in ISE.
Thanks for your support.
Sent from my iPhone
02-11-2018 07:12 PM
We will discuss this further offline.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide