Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
5
Helpful
3
Replies

EAP-TLS with multiple domains?

Go to solution
VS
Level 1
Level 1

‎12-09-2018 06:39 AM

Hello,

I have an ISE 2.2 p9 deployment. domain1.com AD joined to ISE and working well for our users. Another domain2.com is also connected to ISE as we use 2-way trust between domain1.com and domain2.com.

 

domain1.com uses PEAP - this is our organization, we have the AD/CA certificates etc all configured and everything is fine.

 

But domain2.com is another organization, their laptops are set to use EAP-TLS. When they authenticate with our SSID we get error in ISE "12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".

 

As I understand I just need to download CA certificate from http://domain2.com/certsrv and import it in ISE.

 

Is there any additional step? Do I need to do the CSR process as well with their MS CA server?

Will my ISE services restart?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-09-2018 07:48 AM

The only requirement is that your ISE server certificate needs to be trusted by the client and the client certificate needs to be trusted by ISE.

Importing the domain2 CA cert should be fine as long as all those clients are issued a certificate from domain2.com. Your client seems to trust ISE server certificate given that ISE sends the server certificate first and then client responded by with it's certificate.

ISE services will not restart if you just import a CA certificate.

View solution in original post

3 Replies 3

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-09-2018 07:48 AM

The only requirement is that your ISE server certificate needs to be trusted by the client and the client certificate needs to be trusted by ISE.

Importing the domain2 CA cert should be fine as long as all those clients are issued a certificate from domain2.com. Your client seems to trust ISE server certificate given that ISE sends the server certificate first and then client responded by with it's certificate.

ISE services will not restart if you just import a CA certificate.

Go to solution
VS
Level 1
Level 1
In response to Surendra

‎12-14-2018 03:27 AM

Thank you very much @Surendra, it started to work after importing the CA cert. From security perspective, am I supposed to do AD lookup too after the EAP-TLS machine/user cert check goes through?

 

Whats the best practice?

 

I am blanking at the moment, but what will happen if a user copies the certificate from their corporate laptop onto their personal laptop (assuming they have the smarts to use the same hostname as well)?

 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to VS

‎12-14-2018 05:50 AM

You can do an AD check from the information contained in the certificate, usually using the SAN field in the cert.  The hostname of the device doesn't matter.  If a user is able to export the certificate and private key (you need the private key to use a certificate to authenticate) from their corporate device they can use it to get any other device on the network.  Your certificate policies should mark the key as non-exportable.  Some OS types don't respect the do not export flag or if the user has knowledge there is way to get around the do not export flag.

 

 

0 Helpful
Customers Also Viewed These Support Documents