02-23-2017 03:14 AM - edited 03-11-2019 12:29 AM
I have this challenge where customer has two separate domains, ISE has been added to both of them and importing users etc from both domains works fine. ISE version is 2.0.0.306.
Both domains have separate Windows CA servers, how does this work with EAP Authentication ? As far as I can see you cannot use EAP authentication on multiple system certificates. The first domain (employee domain) is already set up with System certificates signed by the CA in the domain and has a working 802.1x wireless network with EAP certificate authentication. How do I set up the same for the other domain (student domain) which has a separate CA Server ?
For me it seems EAP Authentication only works in multiple domains if the same CA server is used in all the domains, but i cannot find any documentation that confirms or denies this. How do I set this up?
Solved! Go to Solution.
10-01-2019 05:58 AM
You can accomplish eap-tls authentication via certificates for two separate domains with separate CAs. Just ensure that you have imported BOTH cert chains into the ISE trust store & trust them for authentication purposes. You can configure separate identity source sequences that reference each respective AD OR combine them into one. Note that whichever join point is on top if something is found there it will not move to the next join point. Do you have users from both domains sharing switches? If you dont you could build out your policies separately based on device types and group your NADs accordingly. If NADs are shared it will be a little trickier to separate the two domains via policies, but it can be done. Good luck & HTH!
09-30-2019 06:39 PM
10-01-2019 05:58 AM
You can accomplish eap-tls authentication via certificates for two separate domains with separate CAs. Just ensure that you have imported BOTH cert chains into the ISE trust store & trust them for authentication purposes. You can configure separate identity source sequences that reference each respective AD OR combine them into one. Note that whichever join point is on top if something is found there it will not move to the next join point. Do you have users from both domains sharing switches? If you dont you could build out your policies separately based on device types and group your NADs accordingly. If NADs are shared it will be a little trickier to separate the two domains via policies, but it can be done. Good luck & HTH!
10-07-2019 11:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide