07-04-2016 04:00 AM
Hello,
We have a customer who would like to deploy a different CA for EAP-TLS which is not part of the CA which signed the system certificates for ISE used for EAP. We will be importing this root CA in Trusted certificate store in ISE.
Would EAP-TLS be still successful (after throwing an unknown server warning ) if the endpoint is not trusting the server certificate ?
Does anyone see such deployment in production ?
Basically the customer wants to EAP-TLS for BYOD devices but does not want to use internal CA for certificate provisioning due to security reasons.
07-04-2016 10:31 PM
ISE BYOD supports external SCEP and CA, such as MS AD CS. ISE BYOD will provision the root CA of ISE EAP server certificate along with the endpoint certificate so it should not be an issue.
In general case of the endpoint not trusting the EAP server certificate but requiring it validated, then EAP-TLS will fail.
07-06-2016 08:22 PM
I tested this scenario on Windows and Iphone 5.
Windows could not connect throwing an error of client rejecting server certificate on ISE however Iphone was prompted to trust ISE certificate before it authenticated successfully.
We are not provisioning certificate out of band via an MDM so we will have to think of provisioning the ISE root CA as well.
07-06-2016 11:28 PM
The ISE represents his Admin Certificate during the Provisioning. This will cause your Error on Windows Clients.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide