Solved: Cisco-ISE, EAP-TLS, remove RootCA from server validation chain

Malex · ‎04-01-2022

Hello experts,

is there a possibility to influence the length/number of certificates for server validation in Cisco-ISE?

My tests with Cisco-ISE ver 2.7 and 3.1 have shown that Cisco-ISE always sends out the full chain of trust in the TLS "Hello Server" message to the supplicant for EAP-TLS authentication.

I.e. in only one TLS message everything is transferred from RootCA to server certificate.

In a concrete scenario, this message is 9199 Bytes long and is unfortunately a bit too long for an IoT radio modul.

Is there a way to instruct Cisco-ISE to send a shortened chain for server validation for certain supplicants, without RootCA (and IntermediateCA) certificate for example?

The IoT Radio module has a copy of the server RootCA (and IntermediateCA) certificate in its memory anyway for validation purposes.

Unfortunately, I cannot change anything in the existing PKI.

Thanks in advance

Flavio Miranda · ‎04-01-2022

I got it. The problem is that even fragmented the device can´t handle the whole chain due lack of memory. Well, as asked a freind who is ISE expert and he told me not be possible. ISE will send the full chain.

View solution in original post

Flavio Miranda · ‎04-01-2022

Not a ISE expert here but from the network point of view this should not be a problem. unless you are allowing jumbo frame, there might be fragmentation.

Malex · ‎04-01-2022

Thank you Flavio.

On the network level everything works, as screenshort in the attachment shows (logged in with IPhone).

The problem is that IoT radio module has too small rx buffer to load the whole "hello server" message in one piece.

I need to find a way to shorten "hello server" message.

Flavio Miranda · ‎04-01-2022

I got it. The problem is that even fragmented the device can´t handle the whole chain due lack of memory. Well, as asked a freind who is ISE expert and he told me not be possible. ISE will send the full chain.