Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
0
Helpful
1
Replies

ISE BYOD Profil on End Point how to add another Root CA certificate

Filip Po
Level 1
Level 1

‎11-11-2021 05:44 AM

Hello, dear community members.

I am dealing with the new Root CA in the Enterprise Infrastructure.

Both, old Root CA and new Root CA issue certificates to ISE EAP-TLS use.

I can't use the new certificate for ISE EAP-TLS issued by the new Root CA because the certificate issued by the old Root CA is used for the EAP-TLS certificate of ISE. And I need to preserve the SSID name in the profile.

For EAP-TLS, if I set to use the certificate issued by the new Root CA all onboarded BYOD End Points stop AuthC to the network because it's not trusted ISE anymore.

 

So I have a question:

Is there any approach or method how to add a trusted new Root CA certificate to the BYOD profile on End Point? Then in the time, all devices will be re-onboarded for a year or two. I'll be able to change the EAP-TLS certificate of ISE and the trust will be maintained. As a result for new onboarded devices, I would like to have BYOD Profil on the device that should include:

  • Root CA certificate of the old CA
  • Root CA certificate of the new CA
  • certificate of End Point Issued by ISE SubRoot CA
  • Wi-Fi SSD Profil.

Regards,

Filip

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎11-23-2021 10:46 PM

Hi @Filip Po 

 

I got a bit confused about your question - so I will ask some clarifying questions:

- When you say "BYOD" are you using ISE to onboard client devices via the ISE BYOD onboarding process? 

 

Sadly, ISE can only support one EAP System Certificate for the purposes of the EAP Tunnel establishment/negotiation. if the EAP clients (supplicants) are checking/validating the "RADIUS Server Certificate" then they will require the CA chain of the of the CA that signed that ISE EAP System cert.  Therefore it's now a client problem to change the supplicant profile in such a way to ensure that the current ISE EAP System cert is trusted. And that depends on each type of suppliant/OS.

 

If, on the other hand, you're asking whether ISE can trust CLIENT certs whose certs have been signed by completely different CA's, then the answer is yes. All you need to do there is to add all the CA cert chains of the Root CA and any Issuing CA's involved in the CLIENT Cert creation. And this has nothing to do with the ISE EAP System Certificate.

 

A lot of customers are using public signed ISE EAP System certs these days to ensure that the clients/supplicants have no trouble trusting ISE during TLS negotiation. Of course, clients need to be configured as such - but usually most clients come factory installed with a lot of public Root CA's - so this makes the experience a lot smoother. I would add though, in my opinion this weakens the security, unless the supplicant is configured to trust a SPECIFIC public CA, AND, the domain of the ISE server is configured in the supplicant so that the supplicant checks the SAN of the cert - that will validate that the suppliant is talking to the intended RADIUS server.

0 Helpful
Customers Also Viewed These Support Documents