Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
1
Replies

ISE 802.1x authentication SCEPcertificate verify Common Name not chain

117222400
Level 1
Level 1

‎05-08-2025 11:47 PM - edited ‎05-08-2025 11:58 PM

Hi Experts

Recently we renewed our Root CA certificates and Intermediate CA certificates, we didn't uploaded them to our ISE server. While all devices with new certificates or old ones are working. Just curious it seems didn't verify the certificate chain of trust, and it mainly verified the Common Name(username) in AD.

1. On ISE , the certificates are: Old Root CA certificates, old Intermediate(issuing) Certificates x 2.

  The settings are

117222400_0-1746773690659.png

 

117222400_1-1746773810691.png

 

 

2.On users’ devices, the below certificates can pass authentication:

  • on iPhones, SCEP certificates pointing to Old Root CA certificate
  • on iPhones, SCEP certificates pointing to New Root CA certificate
  • on Windows10, user/computer certificates on Windows 10 all pointing to New root CA

 

3. the below is Authentication logs, it looks ISE will only use the uploaded Intermediate CA certificates for CRL verification, and then select Common Name from the SCEP certificate to verify it in AD.

117222400_4-1746763136841.png

Looks ISE didn't verify the chain of trust, as new SCEP certificates pointing to new Root CA will still get allowed. It only do CRL verification via old intermediate CA certificate.(I think the CRL didn't change during our Root CA renew).

If it is right, then when should we upload the new Root CA and new Intermediate(issuing) CA certificates onto ISE? only when the old ones expired? or we can just upload the new ones to let them coexist in parallel.

 

Thanks very much

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎05-14-2025 06:25 PM

CRL downloads use http (TCP/80) and there is no transport security involved - therefore, no certs/SSL involved here.

I'm struggling to understand the issue - there is no danger whatsoever in installing the new Root CA and its new Intermediate CA certs - just be sure to tick the right boxes to ensure they are used for Endpoint auth.  On the Issuing CA certs, you can (or should) set the CRL URL manually, since ISE doesn't look in the client cert's CDP (CRL Distribution Point) to pick out the http URL - in the past, I noticed that it would pick the LDAP URL (if the CA is a Windows box) and then fail spectacularly. 

Also, are you sure that you want to perform an AD lookup of the user's cert, for each EAP-TLS authentication?   It's not technically required, and I don't know if you have read into the pros and cons of doing this - happy to be corrected on the merits of doing this. But generally, if ISE is performing the cryptographic checks for the cert's authentication, then the authentication is done (in my opinion) and needs no further checks - the Authorization can of course (and often is) performed by looking up the Identity in that cert (from the Subject CN or SAN) to query AD Group membership etc.

 

0 Helpful
Customers Also Viewed These Support Documents