This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Does anyone know if it is possible to have two end user certificates on an ISE in order to carry out EAP-TLS to devices from two different CA's - i.e. WLAN 1 uses certificates from one CA and WLAN 2 using certificates from a totally separate CA?
When I try and bind the CSR's from the second CA, the ISE tells me that I can only have one system cert used for EAP and the existing one will be replaced.
Solved! Go to Solution.
Yes that is exactly what I'm trying to do Jason.
I think you are right - unless someone out there has had experience of getting this working?
Please review How To: Implement ISE Server-Side Certificates
If simply needing ISE to auth endpoints signed by multiple certificate authority chains, then we need only import the individual certificates from the various chains to the trusted certificate store and marked as trusted for client authentications. You are correct that ISE supports only one single system certificate per ISE node used for the EAP server. There is an enhancement request to what you are asking but that is only needed for the use cases where the clients not wanting to trust EAP servers signed by other CAs so that is a corner case. If that is something you would us to implement, please ask your account team to discuss it with our product management team.
I'd like to see this too and technically there is no reason why it can't be done. You can do it with Portals (multiple certificates), be good for EAP too.
If you know any EAP server able to use two certificates, please let us know.
It's not as easy as ISE end-user facing portals, such as ISE guest portals, because the user browsers can go to different combination of FQDNs and ports and ISE is currently able to provide a different certificate for each port, as this is a fairly standard way for secure web sites. Even for web portals, ISE is not supporting server name indication (SNI) so we have to use different ports. There is nothing like such for EAP protocols, AFAIK.
In fact, you could in theory to simulate the same by directing your network devices to different PSNs and each uses a system certificate, either signed by CA-1 or by CA-2.
Correct. I tried this on our PSN and it took the EAP role off the existing certificate just leaving EAP assigned to the new certificate.
So if I have an ISE cluster with two distinct organistions where endpoints don't trust a common CA, I can partition my PSNs such that some are used for Org 1 with a server cert from CA1 and the other PSNs used for Org 2 with server cert from CA2?
NADs from Org 1 are configured to use PSNs for Org 1, and similar arrangement for other org.
Limitation that any endpoints from Org 1 that connect to a NAD in Org 2 would still fail the certificate trust.
Assumes that admin and intra-cluster traffic uses a common cert from CA1.