cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1321
Views
0
Helpful
2
Replies

Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

matthen
Cisco Employee
Cisco Employee

I have a customer that is migrating from an existing external CA to a new external CA.  They're currently using their existing CA for EAP-TLS and they want to add the new CA to ISE, so essentially authenticate with both CAs during the migration.  Can they just add the cert chain for the new CA, generate and sign a CSR, import the new cert, and mark it to be used for authentication?  Is there anything else that needs to be done or any design considerations that they need to be aware of?

2 Replies 2

gbekmezi-DD
Level 5
Level 5
That’s pretty much it. If you don’t care which CA issued the client’s certificate you shouldn’t have to do anything else.

thomas
Cisco Employee
Cisco Employee

Yes, you can change the ISE cert with the simple import for authentication and it will be fine.

The only other consideration is will your endpoints trust the new cert chain?

If the endpoints do not have the new CA in their trusted store they may reject any authentication attempts from ISE signed by the new CA.