Solved: ISE 2.1: Elliptical Curve Cryptography Support for EAP-TLS with external CA

vpalkin · ‎08-28-2016

Hello experts,

In ISE 2.1 release notes: http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html#pgfId-687384

There is the following note:

Cisco ISE CA service now supports certificates based on Elliptical Curve Cryptography (ECC) algorithms. ECC offers increased security and better performance than other cryptographic algorithms while providing the same level of security as other systems with a much smaller key size.

Cisco ISE CA service supports ECC certificates for devices connecting through the BYOD flow. You can also generate ECC certificates from the Certificate Provisioning Portal.

However it is not written there if ISE supports ECC certificates signed by external CA (not BYOD) for EAP-TLS authentication. Could you please clarify it?

hslai · ‎08-28-2016

ISE 2.1 supports ECC in trust certificates (external CA chains) and endpoint certificates for EAP-TLS but not yet in ISE server certificates. CSCvb04405 is a recent bug in FIPS mode.

View solution in original post

hslai · ‎08-28-2016

ISE 2.1 supports ECC in trust certificates (external CA chains) and endpoint certificates for EAP-TLS but not yet in ISE server certificates. CSCvb04405 is a recent bug in FIPS mode.

vpalkin · ‎08-29-2016

Hi Hsing,

Thank you for reply!

Just to clarify - a customer has ECC-signed certificate already installed as server certificate with EAP role. As far as it is not supported we should open a bug/docbug for it, right?