Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
3
Replies

ise certificate

muhsi_2015
Level 1
Level 1

‎02-17-2017 02:25 AM - edited ‎03-11-2019 12:28 AM

Hi

Few question is if I use multiuse csr and get certificate from an external CA like godaddy,
Can I use it for eap authentication or it need from internal ca .

If I create csr for external CA ( multiuse ), Is it necessary to bind EAP or I can create a separate certificate for eap authentication from my internal CA

If I did not choose "Trust for client authentication and Syslog " while importing Root certificate and when Binding I choose EAP authentication
What will happen in that case ?

Thanks

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎02-17-2017 04:46 AM

Theoretically you could use a certificate from a public CA for EAP. Practically you will use your own CA.

The CA for the portals is a good candidate for public certificate to minimize certificate warnings. But with EAP you only have company managed clients which have your CA-certificate anyway. And you only want to trust the endpoint certificates of your company and not all that are issued by GoDaddy for example.

0 Helpful

muhsi_2015
Level 1
Level 1
In response to Karsten Iwen

‎02-17-2017 05:21 AM

Hi,

Thanks for your reply .Basically this is to trust only organization owend devices ,That's why internal CA recommended .Correct me if  I am wrong ?

And what is "Trust for client authentication and Syslog"

If I did not choose "Trust for client authentication and Syslog " while importing Root certificate and when Binding I choose EAP authentication what will happen . 

And If i bind  admin portal , EAP authentication  with a certificate (multi use )  issued by public ca ,and later  I want to put internal CA for EAP ,What is the procedure  ? 

Thanks 

0 Helpful

Karsten Iwen
VIP
VIP
In response to muhsi_2015

‎02-17-2017 05:39 AM

Best to start with reading the admin-guide chapter on certificates:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0111.html

Each certificate is bound to a specific function. This function has to be enabled to work with one of the certificates. As each function (like EAP) can only be served by one certificate, it has to be disabled on the old certificate when enabled on a different one.

0 Helpful
Customers Also Viewed These Support Documents