Thanks Jan for your reply. I have aised this to cisco TAC and the have checked all ISE config and client configs. they didn't found any configuration error. Cisco TAC has no answer to this problem yet!

Have you installed ALL intermidiate CA certs on all your PSN's in every region ?

Thanks Jan for reply. And short answer is Yes ....

we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.

It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.

In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.

So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence.

Hi ... I think i have the same problem. Could you explain what exactly the problem is comparing the certificates ? How was it fixed - didn't get that part ;-)

Hi just wanting to clarify here that you are essentially utilising multiple issuing CAs on the one ISE deployment? If this is the case how is it configured in that I cannot seem to have multiple certs been trusted for EAP?

Stephen,

You can have as many sub-ca's or root ca's certificates in ISE as you like, and use them to validate and crl check users certs with, however the cert that ise presents to the clients during any kind of EAP negotiation, can only be one specific, which means for EAP-TLS & PEAP, you will need to have that specific root/subca cert installed on all your clients, and trust it in your supplicant settings.