06-06-2017 10:40 AM
Does anyone know if it is possible to have two end user certificates on an ISE in order to carry out EAP-TLS to devices from two different CA's - i.e. WLAN 1 uses certificates from one CA and WLAN 2 using certificates from a totally separate CA?
When I try and bind the CSR's from the second CA, the ISE tells me that I can only have one system cert used for EAP and the existing one will be replaced.
Many thanks
John
Solved! Go to Solution.
06-06-2017 10:45 AM
You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.
06-06-2017 10:45 AM
You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.
06-06-2017 10:49 AM
Yes that is exactly what I'm trying to do Jason.
I think you are right - unless someone out there has had experience of getting this working?
06-06-2017 01:49 PM
Please review How To: Implement ISE Server-Side Certificates
If simply needing ISE to auth endpoints signed by multiple certificate authority chains, then we need only import the individual certificates from the various chains to the trusted certificate store and marked as trusted for client authentications. You are correct that ISE supports only one single system certificate per ISE node used for the EAP server. There is an enhancement request to what you are asking but that is only needed for the use cases where the clients not wanting to trust EAP servers signed by other CAs so that is a corner case. If that is something you would us to implement, please ask your account team to discuss it with our product management team.
06-06-2017 11:33 PM
I'd like to see this too and technically there is no reason why it can't be done. You can do it with Portals (multiple certificates), be good for EAP too.
DJ
06-07-2017 03:07 PM
If you know any EAP server able to use two certificates, please let us know.
It's not as easy as ISE end-user facing portals, such as ISE guest portals, because the user browsers can go to different combination of FQDNs and ports and ISE is currently able to provide a different certificate for each port, as this is a fairly standard way for secure web sites. Even for web portals, ISE is not supporting server name indication (SNI) so we have to use different ports. There is nothing like such for EAP protocols, AFAIK.
In fact, you could in theory to simulate the same by directing your network devices to different PSNs and each uses a system certificate, either signed by CA-1 or by CA-2.
06-08-2017 04:39 PM
Can we support different EAP certificates per interface?
06-08-2017 05:38 PM
No. One EAP certificate per ISE PSN. If you need two, then use two different PSNs.
06-09-2017 01:22 AM
Correct. I tried this on our PSN and it took the EAP role off the existing certificate just leaving EAP assigned to the new certificate.
04-19-2018 09:54 AM
So if I have an ISE cluster with two distinct organistions where endpoints don't trust a common CA, I can partition my PSNs such that some are used for Org 1 with a server cert from CA1 and the other PSNs used for Org 2 with server cert from CA2?
NADs from Org 1 are configured to use PSNs for Org 1, and similar arrangement for other org.
Limitation that any endpoints from Org 1 that connect to a NAD in Org 2 would still fail the certificate trust.
Assumes that admin and intra-cluster traffic uses a common cert from CA1.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide