Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1529
Views
5
Helpful
1
Replies

2 CAs on same ISE cluster for EAP/dot1x

Go to solution
philbe
Level 1
Level 1

‎12-22-2021 04:05 PM - edited ‎12-22-2021 05:27 PM

My company has created a totally new CA and new laptops are now getting new certs and failing dot1x.

 

"Failure Reason  12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"

 

Is the fix as simple as installing the new CA root and SUB CA certs? Is there a trick to CHAIN/Path these 2 certs?

 

Then creating a new CSR for EAP cert from the new CA? Will this break the old but still needed EAP cert?

 

I obviously need dot1x to work with both new and existing CAs

 

Many thanks : )

1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-22-2021 08:46 PM

All you need to do is to import the Root CA (and any intermediate CA's if there are any) into ISE Trusted Cert list. That's the easy part. You can add as many CAs as you need.

 

There is no option for ISE to identify itself to supplicants using a different ISE EAP certificate - there is only one ISE EAP certificate that is presented to all clients. If clients are configured to trust the RADIUS/AAA server, then ensure that the CA cert that signed the ISE EAP cert, is installed in those clients. If the ISE EAP cert is self-signed (which is sometimes the case) then that would be the Root CA that clients would need to trust. Some clients/supplicants don't care about trusting the RADIUS server (Windows still allows that bypass). But newer operating systems like Android 10+ will mandate to have the CA cert on the device in order to trust ISE.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎12-22-2021 08:46 PM

All you need to do is to import the Root CA (and any intermediate CA's if there are any) into ISE Trusted Cert list. That's the easy part. You can add as many CAs as you need.

 

There is no option for ISE to identify itself to supplicants using a different ISE EAP certificate - there is only one ISE EAP certificate that is presented to all clients. If clients are configured to trust the RADIUS/AAA server, then ensure that the CA cert that signed the ISE EAP cert, is installed in those clients. If the ISE EAP cert is self-signed (which is sometimes the case) then that would be the Root CA that clients would need to trust. Some clients/supplicants don't care about trusting the RADIUS server (Windows still allows that bypass). But newer operating systems like Android 10+ will mandate to have the CA cert on the device in order to trust ISE.

0 Helpful
Customers Also Viewed These Support Documents