Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
187
Views
4
Helpful
5
Replies

Can I add two different trusted certificate in ISE?

ggenti
Level 1
Level 1

‎06-17-2025 01:38 AM

We currently have one CA configured in ISE that is trusted for client authentication for a specific customer. Recently, I was asked whether it's possible to add another trusted CA to support a different customer's 802.1X client authentication.

Does anyone know if ISE supports multiple trusted CAs for client authentication, and if so, are there any limitations or best practices I should be aware of?

Thanks,

Genti

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-17-2025 02:05 AM - edited ‎06-17-2025 02:46 AM

@ggenti ISE only allows one EAP certificate, but you could use a public CA signed ceritifcate that all client computers would trust. Then import the customer's private CA certificate to ISE trusted certificate store. ISE will then be able to authenticate the client and vice versa. I see no reason why you couldn't add multiple private CA certificate to the ISE trusted CA store if you have multiple customer using the same ISE cluster, that's not a typical deployment though.

Jonatan Jonasson
Level 4
Level 4

‎06-17-2025 04:29 AM

Can you add multiple trusted CAs to authenticate clients that provide certificates signed by different CAs: yes.

And to reiterate what Rob said, there's only going to be one EAP certificate though for each ISE node, so the clients need to trust that certificate (or preferably the signer of that cert). 

Other items to be aware of: If you're doing this across different customers, be sure to add additional checks (eg. issuer) for each customers policy set (or authentication/authorization section) so you don't accidentally create a scenario where customer "A" could walk into Customer "B" office and be authenticated on to the network.

ggenti
Level 1
Level 1

‎06-17-2025 07:23 AM

Thank you all for the helpful feedback! The situation is that the partner company already uses a client certificate issued by their own CA, which works with their ISE deployment. They’d like to use the same certificate to authenticate against our ISE when visiting for business meetings.

I’m not entirely sure if this setup will work as expected, but I appreciate all the feedback!!

0 Helpful

Rob Ingram
VIP
VIP
In response to ggenti

‎06-17-2025 07:29 AM

@ggenti as it's the ISE deployment you manage, then you change you EAP certificate to a certificate the partner device trusts (a public CA signed certificate) and import their CA certificate to your ISE. They should then be able to authenticate to your ISE. Or get them to use a guest portal.

0 Helpful

Aref Alsouqi
VIP
VIP

‎06-17-2025 08:43 AM

Just to add to what @Rob Ingram and @Jonatan Jonasson mentioned, ISE EAP certificate that you use in "System Certificates" is the certificate that ISE presents to the clients during the secure negotiation. The clients must trust that certificate issuer. However, the certificates that get presented by the clients to ISE could be issued by any other issuer, so it doesn't have to be the same issuer as the one who issued ISE EAP certificate. Similarly, ISE must trust the issuer of those certificates.

The way how we do this in ISE is by importing the root CA and intermediate CA if any into ISE "Trusted Certificates" and then we enable the "Trust for client authentication and Syslog" tick box to make ISE accept the negotiation with those clients.

From the clients side, we import ISE EAP certificate root CA and intermediate CA if any into the clients certificates trusted store.

0 Helpful
Customers Also Viewed These Support Documents