Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
13
Helpful
5
Replies

ISE 1.1.4 Can't run multiple signed CA's in the store

desmanicholson
Level 1
Level 1

‎06-05-2013 07:49 PM - edited ‎03-10-2019 08:30 PM

Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) 

As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).

Has anyone else run into this issue?

          

The box said 'Requires Windows XP or better'. So I installed LINUX...       

The box said 'Requires Windows XP or better'. So I installed LINUX...
Labels:
Preview file
71 KB
0 Helpful
5 Replies 5

Richard Atkin
Level 4
Level 4

‎06-05-2013 11:37 PM

It is correct that you can only have one Cert for EAP and one for HTTPS; this is the case for all 1.1.X versions of ISE.

Why don't you just use one Cert for all of your EAP functions?

desmanicholson
Level 1
Level 1
In response to Richard Atkin

‎06-06-2013 05:27 AM

Thanks for the response, unfortunately policy doesn't allow for mixed mode (ie..sha1 for 7925's and sha256) for data. since the 7900 series wired and 7925g wireless can run sha256 we had to find a 3rd party hosted pki solution. Spoke with a Cisco ISE Engineer and he verified the configurations aren't granular enough to be able to direct traffic to the proper cert and protocol. The one that's active is the one that will be used.

Cisco 7925 wireless new model that can acept a sha256 isn't coming until 2014 so i've heard and now sure when the wired desktop units will be able to handle sha256. Kinda leaves you in a pickle when architecting because it adds 2 PSN's automatically for HA/DR

The box said 'Requires Windows XP or better'. So I installed LINUX...

The box said 'Requires Windows XP or better'. So I installed LINUX...
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-06-2013 01:43 AM

I guess you're using 2 different CA's becuase you want to use certificate signed with SHA256 RSA signature however IP phones 7925 doesn't support or work with SHA256 so you want to use SHA1 for phones only. We had this discussion in the below listed link: https://supportforums.cisco.com/thread/2165566

Yes, ISE can use only one cert for eap chaining and one for https.

Jatin Katyal
- Do rate helpful posts -

~Jatin

desmanicholson
Level 1
Level 1
In response to Jatin Katyal

‎06-06-2013 05:27 AM

That is exactly correct..Thanks for the link, I will check it out...

The box said 'Requires Windows XP or better'. So I installed LINUX...

The box said 'Requires Windows XP or better'. So I installed LINUX...
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to desmanicholson

‎06-08-2013 02:24 AM

anytime. keep this thread updates if you face any further issues.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful
Customers Also Viewed These Support Documents