cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6768
Views
15
Helpful
6
Replies

EAP-TLS and PEAP certificates in ISE

Hi Experts,

 

Greetings and I'm new to ISE seeking some assistance from you guys. When going through EAP Authentication types , EAP-TLS (inner tunnel) uses certificate authentication to authenticate both the authentication server and client and PEAP (outer tunnel) uses certificates to encrypt using TLS by way of the authentication server certificate.

 

1. My query is , if EAP-TLS uses certificate (Root CA installed on both ISE and PC's) to authenticate both the client and the server then what certificate does PEAP uses..

 

2. What is the difference between the two of the below and which one is used for EAP-TLS and PEAP..?

  When binding CSR: EAP Authentication: Use certificate for EAP protocols that use SSL/TLS tunneling

  When Importing Root CA: Trust for client Authentication and Syslog

 

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

As far as ISE is concerned, it will always identify itself with the same certificate, no matter whether the client is trying to perform EAP-PEAP or EAP-TLS - this is part of the initial EAP tunnel establishment.  Cisco ISE only allows one cert to be assigned to the task of EAP processing.

 

The cert that the client presents to ISE during EAP-TLS is inspected/checked by ISE based on the CA cert chains that you have installed under Trusted Certs.  if you don't have the appropriate CA cert chain installed there, then the client cert checking cannot be done and auth will fail. 

View solution in original post

6 Replies 6

Hi Jason- Thanks, not yet, but will do it :)

Arne Bier
VIP
VIP

As far as ISE is concerned, it will always identify itself with the same certificate, no matter whether the client is trying to perform EAP-PEAP or EAP-TLS - this is part of the initial EAP tunnel establishment.  Cisco ISE only allows one cert to be assigned to the task of EAP processing.

 

The cert that the client presents to ISE during EAP-TLS is inspected/checked by ISE based on the CA cert chains that you have installed under Trusted Certs.  if you don't have the appropriate CA cert chain installed there, then the client cert checking cannot be done and auth will fail. 

Hi Arne,

 

Thanks for the reply and from your answer I assume ISE uses same certificate for both EAP-TLS and PEAP.

Also, please suggest the difference of the below on ISE:

 

  When binding CSR: EAP Authentication: Use certificate for EAP protocols that use SSL/TLS tunneling

  When Importing Root CA: Trust for client Authentication and Syslog

When binding CSR: EAP Authentication: Use certificate for EAP protocols that use SSL/TLS tunneling

>> This means that you must have created a CSR on ISE.  What that means is that ISE put a private key somewhere on the server and handed you a CSR file.  You then ship that file off to the CA that needs to sign the CSR.  Once you have the Cert back from that CA, you upload it to ISE and bind it to that CSR request.  In this case "binding" just means, take the cert and link it to the private key.  

 

When Importing Root CA: Trust for client Authentication and Syslog

>> Client Authentication tick box is important.  When you do EAP-TLS and you import the CA chain (Root, Intermediate and issuing CA certs) then you also have to tell ISE that these certs are to be used when verifying the client certs during EAP-TLS.   Don't tick the SYSLOG box.  That one is used when ISE is used to talk to a secure SYSLOG server.

Thanks. When raising CSR, there is an option for EAP Authentication which was confusing. Now, it's cleared.

Thank you :)

 

 EAP Authentication: Use certificate for EAP protocols that use SSL/TLS tunneling