If you have a ISE cluster, can Node 1 use CA/Cert 1 for EAP and Node 2 use CA/Cert 2 for EAP?    Reason: Our current CA is expiring and we want to gently migrate to a new CA.   If we can have both CAs and certs active, we run in parallel until the CA expires.

@cklam that doesn't sound practical,  the authentication request could go to either PSN - so therefore the client must trust both CAs that sign the respective EAP Cert, otherwise it would error.

Our supplicant (cat/eduroam) can offer both CAs.   So, the client will be trusting both.   I am concerned that we would see fails as clients try one ISE server fail and then move to the next one which contains the winning CA/cert.     If we cannot do this, then we can test on a staging server and then do a hard cutover when the original CA expires.  

@cklam the client authentication request is sent to one server, it won't move to the next if the authentication request was  denied on the first. If the client supplicant trusts both CA's then there shouldn't be a problem to cutover the EAP certs on all PSNs to the new CA.

Hi Thomas, do you mind pointing me to some official Cisco documents on how to do this "ISE can authenticate endpoint certificates from different CAs using Certificate Profiles"?  I was planning on migrating from one internal CA to another and would like our ISE to be able to authenticate endpoint certificates from the two CAs at the same time during the migration, but I was told this was not supported. Thank you very much for your time.