ISE - Multiple Issuing Subordinate CAs for EAP Auth?

Stephen McBride · ‎10-08-2012

Is it possible to utilise multiple issuing subordinate CAs with an ISE implementation? In short I have a situation where the client is wanting to issue certificates for one group of users from CA1 and issue certificates for another group of users from CA2.

As far as I can see it is not possible to have two different server certificates installed on a policy node for the purposes of EAP authentication. Is the only way around this to install a policy node per issuing certifcate server?

Stephen McBride · ‎10-10-2012

Ok to add to this I would really like some clarification on certificate installation for the purposes of EAP-TLS. The Cisco doco is at best vague on this topic. I have a distributed deployment with 2 x Admin, 1 x monitoring and 2 x PSN. I have installed a Public HTTPS server auth cert on each device and all nodes are joined. I would now like to utilise MS CA cert infrastructure to authenticate EAP-TLS.

My understanding is that I need the MS CA Root Cert and Subordinate Cert on the Admin node with the subordinate cert ticked for trust for EAP Auth. Is there a requirement for a Server Authentication certificate on the Admin Node? Going forward with that Is there a requirement to add a server authentication certificate to the PSN Nodes?

In addition back to my first question is it possible to utilise multiple subordinate CAs for client authentication if so how as I cannot seem to click trust for EAP on multiple certs

Stephen McBride · ‎11-20-2012

Issue sorted.

rashish135@yahoo.co.in · ‎09-16-2019

Hi

Will you be able to share the solution here. I have similar requirement.

Regards

Ashish Shah