Solved: Re: ISE EAP Authentication in Multiple Domain

Andre Liverod · ‎02-23-2017

I have this challenge where customer has two separate domains, ISE has been added to both of them and importing users etc from both domains works fine. ISE version is 2.0.0.306.

Both domains have separate Windows CA servers, how does this work with EAP Authentication ? As far as I can see you cannot use EAP authentication on multiple system certificates. The first domain (employee domain) is already set up with System certificates signed by the CA in the domain and has a working 802.1x wireless network with EAP certificate authentication. How do I set up the same for the other domain (student domain) which has a separate CA Server ?

For me it seems EAP Authentication only works in multiple domains if the same CA server is used in all the domains, but i cannot find any documentation that confirms or denies this. How do I set this up?

Mike.Cifelli · ‎10-01-2019

You can accomplish eap-tls authentication via certificates for two separate domains with separate CAs. Just ensure that you have imported BOTH cert chains into the ISE trust store & trust them for authentication purposes. You can configure separate identity source sequences that reference each respective AD OR combine them into one. Note that whichever join point is on top if something is found there it will not move to the next join point. Do you have users from both domains sharing switches? If you dont you could build out your policies separately based on device types and group your NADs accordingly. If NADs are shared it will be a little trickier to separate the two domains via policies, but it can be done. Good luck & HTH!

View solution in original post

Angel_Inglese · ‎09-30-2019

Good day,

Does anybody know if this is possible? this is the same scenario I'm facing,

The customer has 2 environments, Production and Develpment, ISE is currently working with Production environment (CA + AD)

but what happens if users in Development phase cannot authenticate to ISE because of the CSR was already signed by the Production CA? (so, it won´t authenticate Client and Server)

this is highly demanded by corporations nowadays in order to do tests before moving to production.

Thank you,

Mike.Cifelli · ‎10-01-2019

You can accomplish eap-tls authentication via certificates for two separate domains with separate CAs. Just ensure that you have imported BOTH cert chains into the ISE trust store & trust them for authentication purposes. You can configure separate identity source sequences that reference each respective AD OR combine them into one. Note that whichever join point is on top if something is found there it will not move to the next join point. Do you have users from both domains sharing switches? If you dont you could build out your policies separately based on device types and group your NADs accordingly. If NADs are shared it will be a little trickier to separate the two domains via policies, but it can be done. Good luck & HTH!

Angel_Inglese · ‎10-07-2019

Yeap, I thought about that!

but also the CSR should change right? because the domain and Root certificate change, so my worries are about the EAP CSR not signed by the first CA right?

I tried to do that on dcloud but is completely difficult to have 2 completely separate domains and users in the same ISE HA, and yes, testing environment has unique users and NAD, the policy will have a separate authentication rule.

thank you for your reply.