Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
2
Replies

ISE - EAP-TLS authentication with multi-tier PKI

Johannes Luther
Level 4
Level 4

‎02-24-2015 05:42 AM - edited ‎03-10-2019 10:29 PM

Hi Cisco Support Community,

and again I'm struggling with my ISE understanding. It's kind of frustrating - daily more and more questions arise :)

Here's the thing and I hope some of the ISE experts here know the answer:

 

I want to authenticate my wired and wireless clients using 802.1X. I'm using a multi-tier PKI (see picture below)

The ISE uses a certificate from the "Signing CA1" (Chain: Root CA - Signing CA1).

The clients uses a certificate from the "Signing CA2" (Chain: Root CA - Intermediate CA1 - Signing CA2).


Do I have to add the complete client certificate chain (Signing CA2, Intermediate CA1, Root CA) to the ISE trusted certificates in order to authenticate the client? Or is it enough for example just to add the root CA or the intermediate CA? I couldn't find any hints in the admin guide (1.3)

 

Thanks in advance!

 

 

Labels:
0 Helpful
2 Replies 2

nspasov
Cisco Employee
Cisco Employee

‎02-25-2015 10:29 PM

Hello Johannes-

You will need to add the root and all/any intermediate certificates in the trusted certificate store of ISE. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Johannes Luther
Level 4
Level 4
In response to nspasov

‎03-03-2015 04:19 AM

Hi Neno,

thanks for the answer - nevertheless I'll have to verify this in the lab.

 

0 Helpful
Customers Also Viewed These Support Documents