cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1700
Views
0
Helpful
3
Replies

ISE - Multiple Issuing Subordinate CAs for EAP Auth?

Stephen McBride
Level 1
Level 1

Is it possible to utilise multiple issuing subordinate CAs with an ISE implementation? In short I have a situation where the client is wanting to issue certificates for one group of users from CA1 and issue certificates for another group of users from CA2.

As far as I can see it is not possible to have two different server certificates installed on a policy node for the purposes of EAP authentication. Is the only way around this to install a policy node per issuing certifcate server?

3 Replies 3

Stephen McBride
Level 1
Level 1

Ok to add to this I would really like some clarification on certificate installation for the purposes of EAP-TLS. The Cisco doco is at best vague on this topic. I have a distributed deployment with 2 x Admin, 1 x monitoring and 2 x PSN. I have installed a Public HTTPS server auth cert on each device and all nodes are joined. I would now like to utilise MS CA cert infrastructure to authenticate EAP-TLS.

My understanding is that I need the MS CA Root Cert and Subordinate Cert on the Admin node with the subordinate cert ticked for trust for EAP Auth. Is there a requirement for a Server Authentication certificate on the Admin Node? Going forward with that Is there a requirement to add a server authentication certificate to the PSN Nodes?

In addition back to my first question is it possible to utilise multiple subordinate CAs for client authentication if so how as I cannot seem to click trust for EAP on multiple certs

Issue sorted.

Hi

 

Will you be able to share the solution here. I have similar requirement.

 

Regards

Ashish Shah