cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
750
Views
0
Helpful
1
Replies

ISE 2.3 Root CA feature to sign EAP Certificate

alfonso.cornejo
Level 3
Level 3

Hi,

I have a cluster of 2 ISE v2.3 nodes, in my location we don't have an internal CA in order to generate the certificate that we can use for the user authentication using EAP.

I was thinking if we can use the Root CA feature that ISE has in order to generate that certificate, I know that I can use the self signed certificate that each server has, install those in every user computer and EAP will work.

But, what about when that certificate expires? Do I have to generate it again and then install it again in each computer?

That's why I was thinking if there is a way that I can "sign" that certificate with the internal root CA that ISE has and only install the "ISE CA Root Authority Certificate" in every computer so they will trust any certificate that will be generated by the primary node of ISE just the same way that I must do it when I have a traditional Windows or Linux CA.

What do you suggest?

Thanks in advanced.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

The PSNs that issue certs are signed by the ISE root.  During BYOD/NSP flow, the client will be issued a cert and signing cert.  ISE has capability to renew certs for clients where cert is about to expire.  If signing cert is expired, then just having trust of root CA is not enough.  The cert chain must be trusted and if client or signing chain has expiration or revocation, then simple trust of root CA alone is not sufficient.

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

The PSNs that issue certs are signed by the ISE root.  During BYOD/NSP flow, the client will be issued a cert and signing cert.  ISE has capability to renew certs for clients where cert is about to expire.  If signing cert is expired, then just having trust of root CA is not enough.  The cert chain must be trusted and if client or signing chain has expiration or revocation, then simple trust of root CA alone is not sufficient.