cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1099
Views
5
Helpful
3
Replies
VS
Beginner
Beginner

EAP-TLS with multiple domains?

Hello,

I have an ISE 2.2 p9 deployment. domain1.com AD joined to ISE and working well for our users. Another domain2.com is also connected to ISE as we use 2-way trust between domain1.com and domain2.com.

 

domain1.com uses PEAP - this is our organization, we have the AD/CA certificates etc all configured and everything is fine.

 

But domain2.com is another organization, their laptops are set to use EAP-TLS. When they authenticate with our SSID we get error in ISE "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".

 

As I understand I just need to download CA certificate from http://domain2.com/certsrv and import it in ISE.

 

Is there any additional step? Do I need to do the CSR process as well with their MS CA server?

Will my ISE services restart?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Surendra
Cisco Employee

The only requirement is that your ISE server certificate needs to be trusted by the client and the client certificate needs to be trusted by ISE.

Importing the domain2 CA cert should be fine as long as all those clients are issued a certificate from domain2.com. Your client seems to trust ISE server certificate given that ISE sends the server certificate first and then client responded by with it's certificate.

ISE services will not restart if you just import a CA certificate.

View solution in original post

3 REPLIES 3
Surendra
Cisco Employee