06-05-2013 07:49 PM - edited 03-10-2019 08:30 PM
Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...)
As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).
Has anyone else run into this issue?
The box said 'Requires Windows XP or better'. So I installed LINUX...
06-05-2013 11:37 PM
It is correct that you can only have one Cert for EAP and one for HTTPS; this is the case for all 1.1.X versions of ISE.
Why don't you just use one Cert for all of your EAP functions?
06-06-2013 05:27 AM
Thanks for the response, unfortunately policy doesn't allow for mixed mode (ie..sha1 for 7925's and sha256) for data. since the 7900 series wired and 7925g wireless can run sha256 we had to find a 3rd party hosted pki solution. Spoke with a Cisco ISE Engineer and he verified the configurations aren't granular enough to be able to direct traffic to the proper cert and protocol. The one that's active is the one that will be used.
Cisco 7925 wireless new model that can acept a sha256 isn't coming until 2014 so i've heard and now sure when the wired desktop units will be able to handle sha256. Kinda leaves you in a pickle when architecting because it adds 2 PSN's automatically for HA/DR
The box said 'Requires Windows XP or better'. So I installed LINUX...
06-06-2013 01:43 AM
I guess you're using 2 different CA's becuase you want to use certificate signed with SHA256 RSA signature however IP phones 7925 doesn't support or work with SHA256 so you want to use SHA1 for phones only. We had this discussion in the below listed link: https://supportforums.cisco.com/thread/2165566
Yes, ISE can use only one cert for eap chaining and one for https.
Jatin Katyal
- Do rate helpful posts -
06-06-2013 05:27 AM
That is exactly correct..Thanks for the link, I will check it out...
The box said 'Requires Windows XP or better'. So I installed LINUX...
06-08-2013 02:24 AM
anytime. keep this thread updates if you face any further issues.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide