Re: EAP-TLS with different root CA

umahar · ‎07-04-2016

Hello,

We have a customer who would like to deploy a different CA for EAP-TLS which is not part of the CA which signed the system certificates for ISE used for EAP. We will be importing this root CA in Trusted certificate store in ISE.

Would EAP-TLS be still successful (after throwing an unknown server warning ) if the endpoint is not trusting the server certificate ?

Does anyone see such deployment in production ?

Basically the customer wants to EAP-TLS for BYOD devices but does not want to use internal CA for certificate provisioning due to security reasons.

hslai · ‎07-04-2016

ISE BYOD supports external SCEP and CA, such as MS AD CS. ISE BYOD will provision the root CA of ISE EAP server certificate along with the endpoint certificate so it should not be an issue.

In general case of the endpoint not trusting the EAP server certificate but requiring it validated, then EAP-TLS will fail.

umahar · ‎07-06-2016

I tested this scenario on Windows and Iphone 5.

Windows could not connect throwing an error of client rejecting server certificate on ISE however Iphone was prompted to trust ISE certificate before it authenticated successfully.

We are not provisioning certificate out of band via an MDM so we will have to think of provisioning the ISE root CA as well.

Oliver Laue · ‎07-06-2016

The ISE represents his Admin Certificate during the Provisioning. This will cause your Error on Windows Clients.