11-18-2021 01:51 AM
Hi All!
I wanted to swing this question past the wider audience. I recently came across an ISE deployment (v2.6) whereby the certificate used for EAP authentication is valid however the top two certificates in the certificates chain are expired.
Clients are still accepting the certificate without any problems and are authenticating successfully on the network.
Can anyone explain to me why having expired certificates in the chain does not result in clients rejecting the ISE certificate? I'm assuming its something possibly on the Supplicant side but I'm never claimed to be a Windows expert
Any help would be greatly appreciated!
P.S. The supplicants have the expired certificates installed in the Trust Store.
Solved! Go to Solution.
11-18-2021 04:05 AM
Clients are still accepting the certificate without any problems and are authenticating successfully on the network.
Can anyone explain to me why having expired certificates in the chain does not result in clients rejecting the ISE certificate? I'm assuming its something possibly on the Supplicant side but I'm never claimed to be a Windows expert
-So I am assuming you are using the native supplicant and not NAM. Anyways, this could very well be a native supplicant configuration issue. I would start with verifying if the following is set:
Verify the server's identity by validating the certificate: Specifies that the client verifies that server certificates presented to the client computer have the correct signatures, have not expired, and were issued by a trusted root certification authority (CA).
Note that by default this is enabled. I would still double check.
12-04-2021 01:23 PM
This is 100% an endpoint supplicant configuration issue.
There are options to ignore the authentication server certificate.
11-18-2021 04:05 AM
Clients are still accepting the certificate without any problems and are authenticating successfully on the network.
Can anyone explain to me why having expired certificates in the chain does not result in clients rejecting the ISE certificate? I'm assuming its something possibly on the Supplicant side but I'm never claimed to be a Windows expert
-So I am assuming you are using the native supplicant and not NAM. Anyways, this could very well be a native supplicant configuration issue. I would start with verifying if the following is set:
Verify the server's identity by validating the certificate: Specifies that the client verifies that server certificates presented to the client computer have the correct signatures, have not expired, and were issued by a trusted root certification authority (CA).
Note that by default this is enabled. I would still double check.
12-04-2021 01:23 PM
This is 100% an endpoint supplicant configuration issue.
There are options to ignore the authentication server certificate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide