cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2802
Views
8
Helpful
9
Replies
Highlighted
Beginner

ISE - Two end user certificates

Does anyone know if it is possible to have two end user certificates on an ISE in order to carry out EAP-TLS to devices from two different CA's - i.e. WLAN 1 uses certificates from one CA and WLAN 2 using certificates from a totally separate CA?

When I try and bind the CSR's from the second CA, the ISE tells me that I can only have one system cert used for EAP and the existing one will be replaced.

Many thanks

John

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE - Two end user certificates

You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

Re: ISE - Two end user certificates

You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.

View solution in original post

Highlighted
Beginner

Re: ISE - Two end user certificates

Yes that is exactly what I'm trying to do Jason.

I think you are right - unless someone out there has had experience of getting this working?

Highlighted
Cisco Employee

Re: ISE - Two end user certificates

Please review How To: Implement ISE Server-Side Certificates

If simply needing ISE to auth endpoints signed by multiple certificate authority chains, then we need only import the individual certificates from the various chains to the trusted certificate store and marked as trusted for client authentications. You are correct that ISE supports only one single system certificate per ISE node used for the EAP server. There is an enhancement request to what you are asking but that is only needed for the use cases where the clients not wanting to trust EAP servers signed by other CAs so that is a corner case. If that is something you would us to implement, please ask your account team to discuss it with our product management team.

Highlighted
Contributor

Re: ISE - Two end user certificates

I'd like to see this too and technically there is no reason why it can't be done. You can do it with Portals (multiple certificates), be good for EAP too.

DJ

Highlighted
Cisco Employee

Re: ISE - Two end user certificates

If you know any EAP server able to use two certificates, please let us know.


It's not as easy as ISE end-user facing portals, such as ISE guest portals, because the user browsers can go to different combination of FQDNs and ports and ISE is currently able to provide a different certificate for each port, as this is a fairly standard way for secure web sites. Even for web portals, ISE is not supporting server name indication (SNI) so we have to use different ports. There is nothing like such for EAP protocols, AFAIK.


In fact, you could in theory to simulate the same by directing your network devices to different PSNs and each uses a system certificate, either signed by CA-1 or by CA-2.

Highlighted
Contributor

Re: ISE - Two end user certificates

Can we support different EAP certificates per interface?

Highlighted
Cisco Employee

Re: ISE - Two end user certificates

No. One EAP certificate per ISE PSN. If you need two, then use two different PSNs.

Highlighted
Beginner

Re: ISE - Two end user certificates

Correct. I tried this on our PSN and it took the EAP role off the existing certificate just leaving EAP assigned to the new certificate.

Highlighted
Cisco Employee

Re: ISE - Two end user certificates

So if I have an ISE cluster with two distinct organistions where endpoints don't trust a common CA, I can partition my PSNs such that some are used for Org 1 with a server cert from CA1 and the other PSNs used for Org 2 with server cert from CA2?

NADs from Org 1 are configured to use PSNs for Org 1, and similar arrangement for other org.

Limitation that any endpoints from Org 1 that connect to a NAD in Org 2 would still fail the certificate trust.

Assumes that admin and intra-cluster traffic uses a common cert from CA1.