Re: EAP-TLS for two domains on cisco ISE

khaled alodat · ‎01-22-2018

Hi,

Is there a way to configure EAP-TLS for two dominas on ISE

abc.com and xyz.com

i know that you can do this if you two child domains. but is it possible whit two totally different domains ?

Thanks in advance.

KO

nspasov · ‎01-22-2018

Hello KO-

Perhaps I am missing something here but I don't see a reason why this should not work. EAP-TLS a certificate based authentication that is not dependent on domains/AD/LDAP, etcwhere both the client (Endpoints) and server (ISE) must perform mutual authentication. Thus, as long as the endpoint trusts the CA that issued ISE's certificate and ISE trusts the CA that issued the endpoint's certificate, EAP-TLS authentication will succeed.

Here is a link for the EAP-TLS deployment guide that was written a while back but still valid today:

https://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

I hope this helps!

Thank you for rating helpful posts!

khaled alodat · ‎01-23-2018

thank you nspason, just to clarify something , ISE will not have a problem if it receives usernames from different domain as long as ISE trust the CA responsible for issuing the certificate for each domain.

and i can create two certificate profile for two different domain on ISE without any problem ?

Thank you again . now make sense . i was confused between two domains and users ambiguity (when same user presented in two domains).

Khaled

nspasov · ‎01-25-2018

Yes, that is correct! In addition though, the endpoints must also trust the CA that issued ISE's EAP certificate.

Thank you for rating helpful posts!

ajc · ‎01-26-2018

IMPORTANT TO MENTION, there is a bug at least on 2.2 patch 4. You CANNOT have in the trusted certificate folder 2 certs with the same CN Name even though they could have different serial number and expiration date. That corrupts the certificate DB on ISE and affects the operation of all the portals.