12-22-2021 04:05 PM - edited 12-22-2021 05:27 PM
My company has created a totally new CA and new laptops are now getting new certs and failing dot1x.
"Failure Reason 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
Is the fix as simple as installing the new CA root and SUB CA certs? Is there a trick to CHAIN/Path these 2 certs?
Then creating a new CSR for EAP cert from the new CA? Will this break the old but still needed EAP cert?
I obviously need dot1x to work with both new and existing CAs
Many thanks : )
Solved! Go to Solution.
12-22-2021 08:46 PM
All you need to do is to import the Root CA (and any intermediate CA's if there are any) into ISE Trusted Cert list. That's the easy part. You can add as many CAs as you need.
There is no option for ISE to identify itself to supplicants using a different ISE EAP certificate - there is only one ISE EAP certificate that is presented to all clients. If clients are configured to trust the RADIUS/AAA server, then ensure that the CA cert that signed the ISE EAP cert, is installed in those clients. If the ISE EAP cert is self-signed (which is sometimes the case) then that would be the Root CA that clients would need to trust. Some clients/supplicants don't care about trusting the RADIUS server (Windows still allows that bypass). But newer operating systems like Android 10+ will mandate to have the CA cert on the device in order to trust ISE.
12-22-2021 08:46 PM
All you need to do is to import the Root CA (and any intermediate CA's if there are any) into ISE Trusted Cert list. That's the easy part. You can add as many CAs as you need.
There is no option for ISE to identify itself to supplicants using a different ISE EAP certificate - there is only one ISE EAP certificate that is presented to all clients. If clients are configured to trust the RADIUS/AAA server, then ensure that the CA cert that signed the ISE EAP cert, is installed in those clients. If the ISE EAP cert is self-signed (which is sometimes the case) then that would be the Root CA that clients would need to trust. Some clients/supplicants don't care about trusting the RADIUS server (Windows still allows that bypass). But newer operating systems like Android 10+ will mandate to have the CA cert on the device in order to trust ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide