Solved: Can ISE 3.1 support multiple PKIs for EAP auth?

Josh Morris · ‎05-04-2022

We currently use an internal PKI for delivering certs for EAP. ISE has a trusted cert from that PKI as the EAP cert. We are transitioning to Digicert PKI. How can I use both PKIs to authenticate 802.1X users if I can only select one EAP cert in the system certificate page?

Arne Bier · ‎05-04-2022

Hi @Josh Morris

The EAP Certificate in the System Certificates is the certificate with which ISE identifies itself to the client (if the client is configured to check the NAC server - this is an optional check but highly recommended to provide assurance to the client, that they are talking to the correct RADIUS/NAC server). ISE only allows one System EAP cert - in other words, ISE is unable to identify itself to clients with more than one certificate. This is not a common situation (perhaps only required when two companies merge etc.) - it's up to the client to ensure that they are configured to trust the CA cert chain that signs any/all ISE EAP certs. Each ISE PSN can have its own EAP cert - but when a NAS switches between PSNs (e.g a load balancer or a HA event) then you need to ensure that the clients don't feel that switch. The way you do that is to either re-use the same EAP System cert on all PSN's that process EAP requests - or better still, one EAP System cert per PSN but signed by the same CA - either a public CA or a internal CA. And that CA cert chain MUST be available on the clients. Then it all works fine.

As for the client certificate checks that ISE performs (i.e. during mutual authentication of EAP-TLS), that CA certificate CHAIN used to create those client certs is contained in ISE's Trusted Certificate section (i.e ISE needs to TRUST those clients)- and you can have loads of those certs listed there - just ensure that you have the entire CA chain, and that in each cert you have ticked "for client auth".

View solution in original post

Arne Bier · ‎05-04-2022

Hi @Josh Morris

The EAP Certificate in the System Certificates is the certificate with which ISE identifies itself to the client (if the client is configured to check the NAC server - this is an optional check but highly recommended to provide assurance to the client, that they are talking to the correct RADIUS/NAC server). ISE only allows one System EAP cert - in other words, ISE is unable to identify itself to clients with more than one certificate. This is not a common situation (perhaps only required when two companies merge etc.) - it's up to the client to ensure that they are configured to trust the CA cert chain that signs any/all ISE EAP certs. Each ISE PSN can have its own EAP cert - but when a NAS switches between PSNs (e.g a load balancer or a HA event) then you need to ensure that the clients don't feel that switch. The way you do that is to either re-use the same EAP System cert on all PSN's that process EAP requests - or better still, one EAP System cert per PSN but signed by the same CA - either a public CA or a internal CA. And that CA cert chain MUST be available on the clients. Then it all works fine.

As for the client certificate checks that ISE performs (i.e. during mutual authentication of EAP-TLS), that CA certificate CHAIN used to create those client certs is contained in ISE's Trusted Certificate section (i.e ISE needs to TRUST those clients)- and you can have loads of those certs listed there - just ensure that you have the entire CA chain, and that in each cert you have ticked "for client auth".