Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1074
Views
0
Helpful
3
Replies

ISE/EDUROAM/PEAP/CERTIFICATE

raj-toor
Level 1
Level 1

‎04-29-2020 08:53 AM

We currently use ISE for certificate based access to wireless SSID and EAP uses internal CA cert for that.

We also have setup Eduroam and allowed protocol uses PEAP>ms-chapv2.

On connection certificate that gets presented to the device is of internal CA. How can I change it to a Pubic CA.

If that is possible at all what would be the import type for cert as only one EAP certificate can be there on ISE.

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎04-29-2020 10:23 AM

hope below guide should help you :

 

https://community.cisco.com/t5/security-documents/configuring-eduroam-on-cisco-identity-services-engine-ise/ta-p/3655672

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Arne Bier
VIP
VIP

‎04-29-2020 03:27 PM

ISE only supports a single EAP Server certificate - when you import/generate a new one, then it will overwrite the existing one. Technically it is possible for a RADIUS server to have more than one EAP certificate, and to present the appropriate certificate depending on the service/use-case - other vendors support this.

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-01-2020 09:58 PM

You and Arne Bier are both correct that each ISE node may have only one system certificate designated as the EAP server certificate. Please keep in mind (1) that ISE may trust multiple CA chains for EAP authentication and so do the peer (client) and (2) that the certificates of the EAP server and the EAP peer (client) need not signed by the same CA chain.

 

0 Helpful
Customers Also Viewed These Support Documents