hslai,

Thanks for responding. I know about the option in Windows OS, but wouldn't that have to be the PSN FQDN (hostname) or IP addresses and not the SAN such ise1-aaa.company.com? Would I have to specify radius server names or won't it work without specifying any names?

To paint the picture clearer, I have the following setup and requirements:

1. Internal Domain - xyz.local

2. Company domain - company.com

3. Internal Root CA available for only xyz.local but not for company.com.

4. Use Public CA for EAP and Portal Service (Posture only). The Public cert would be Single UC-Multi-Domain

5. Use Internal CA for Admin only - Eth0. Each ISE node would have its Admin Cert

6. Eth1 for others - EAP and Posture

7. There is split-DNS for company.com

My thought process is follows:

1. Setup ISE cluster with company.com domain hostnames

2. Generate Admin CSR with CN as ise.company.com but put SANs as  ise.xyz.local and also ise.company.com

3. Generate Single cert on any ISE node and sign with public CA with multiple SANs pan1.company.com, psn1.company.com and import into all ISE nodes with private key.

4. Eth0 would be for Admin and Eth1 would be for Radius. Both interfaces would be on the same subnet.

5. Use Interface Alias (Eth1) because of Posture redirection

Is my proposed setup correct?

Thanks again for the earlier response.

Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-TLS Authentication

says,

... To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in Connect to these servers , type then name of each RADIUS server, exactly as it appears in the subject field of the server certificate. Use semicolons to specify multiple RADIUS server names. ...

This is optional.

Since your ETH0 and 1 on the same subnet, please ensure routing correctly.

Thanks again. But please could you confirm if my earlier proposed setup is OK? Also not sure what you mean by

"Since your ETH0 and 1 on the same subnet, please ensure routing correctly".

Obviously the NADs would be configured IP address of Eth1 as the Radius Server and the IGP would get the packets to the destination. In the past, in a previous place I worked, I had Eth0 and Eth1 on the same subnet for a Guest PSN in the DMZ and no issues with Guest Redirection on Eth1 and Interface Alias on the Guest PSN.

Well. The routing, if not taken care of, could be like this:

NAD -> ISE:ETH1 -> ISE:ETH0 -> NAD.

Your proposal looks fine for EAP. Best to test it yourself (in a lab), nonetheless.

Note: CPP and Admin certificate different but on same interface

I would also ask why are you trying to use another interface for EAP Authentication?  I prefer to keep my ISE deployments as simple as possible and use only 1 interface on my ISE nodes unless the customer has a guest portal situation requiring the PSNs to have a presence in a DMZ.