Re: ISE Accept certificates without validating purpose will break 802.

Arne Bier · ‎10-22-2025

Does anyone know what a valid use case is for unchecking this box?

According to my experience, it tries to enforce RFC 5280. But in reality, unchecking this box can break 802.1X authentications. In particular, devices that are authenticating with 802.1AR IDevID certificates. I validated this with one vendor (Axis) who implement 802.1AR certs, and according to the IEEE document for that spec, there is no requirement for an EKU (and Axis don't include it) and the spec also says NOT to include the Key Usage for these certs.

802.1AR is a very good initiative to make onboarding of devices easier using EAP-TLS - there seems to be a disconnect somewhere between the RFC 5280's pipe dream of better security, and the IEEE's vision of plug and play EAP-TLS.

Bottom line - don't uncheck that box unless you know 100% why you are doing it.

Marcelo Morais · ‎11-16-2025

@Arne Bier ,

this is one of those questions that, once I read it, I couldn't get out of my head. : )

At this exact moment, I don't have a Use Case for it yet, but thank you for pointing it out; some checkboxes end up going unnoticed by me, and this was one of them.

Some Bug ID references:

CSCvz78531 Add human readable outputs in the live logs detailed report when KU or EKU attributes are missing

CSCvz78547 ISE admin guide should specify that there is a way to bypass the mandatory Key Usage

and this old Post: EAP-TLS human readable live log error messages needed.

" ... Per TAC the requirement/check for Key Encipherment was added in ISE 2.3 ... "

Note: I added your question to my list; if I find the answer, I'll post it here !

Best regards

Arne Bier · ‎11-16-2025

In my books, this checkbox is called the RFC 5280 kill switch.

Marcelo Morais · ‎11-16-2025

@Arne Bier ,

I loved that my friend !

ISE Accept certificates without validating purpose will break 802.1AR