12-09-2018 06:39 AM
Hello,
I have an ISE 2.2 p9 deployment. domain1.com AD joined to ISE and working well for our users. Another domain2.com is also connected to ISE as we use 2-way trust between domain1.com and domain2.com.
domain1.com uses PEAP - this is our organization, we have the AD/CA certificates etc all configured and everything is fine.
But domain2.com is another organization, their laptops are set to use EAP-TLS. When they authenticate with our SSID we get error in ISE "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".
As I understand I just need to download CA certificate from http://domain2.com/certsrv and import it in ISE.
Is there any additional step? Do I need to do the CSR process as well with their MS CA server?
Will my ISE services restart?
Solved! Go to Solution.
12-09-2018 07:48 AM
12-09-2018 07:48 AM
12-14-2018 03:27 AM
Thank you very much @Surendra, it started to work after importing the CA cert. From security perspective, am I supposed to do AD lookup too after the EAP-TLS machine/user cert check goes through?
Whats the best practice?
I am blanking at the moment, but what will happen if a user copies the certificate from their corporate laptop onto their personal laptop (assuming they have the smarts to use the same hostname as well)?
12-14-2018 05:50 AM
You can do an AD check from the information contained in the certificate, usually using the SAN field in the cert. The hostname of the device doesn't matter. If a user is able to export the certificate and private key (you need the private key to use a certificate to authenticate) from their corporate device they can use it to get any other device on the network. Your certificate policies should mark the key as non-exportable. Some OS types don't respect the do not export flag or if the user has knowledge there is way to get around the do not export flag.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide