Solved: Re: ISE - Two end user certificates

jphilp · ‎06-06-2017

Does anyone know if it is possible to have two end user certificates on an ISE in order to carry out EAP-TLS to devices from two different CA's - i.e. WLAN 1 uses certificates from one CA and WLAN 2 using certificates from a totally separate CA?

When I try and bind the CSR's from the second CA, the ISE tells me that I can only have one system cert used for EAP and the existing one will be replaced.

Many thanks

John

Jason Kunst · ‎06-06-2017

You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.

View solution in original post

Jason Kunst · ‎06-06-2017

You’re asking if ISE can present a different server cert to the clients authentication with 802.1x depending on the SSID they connec to? I don’t think that’s possible.

jphilp · ‎06-06-2017

Yes that is exactly what I'm trying to do Jason.

I think you are right - unless someone out there has had experience of getting this working?

hslai · ‎06-06-2017

Please review How To: Implement ISE Server-Side Certificates

If simply needing ISE to auth endpoints signed by multiple certificate authority chains, then we need only import the individual certificates from the various chains to the trusted certificate store and marked as trusted for client authentications. You are correct that ISE supports only one single system certificate per ISE node used for the EAP server. There is an enhancement request to what you are asking but that is only needed for the use cases where the clients not wanting to trust EAP servers signed by other CAs so that is a corner case. If that is something you would us to implement, please ask your account team to discuss it with our product management team.

dazza_johnson · ‎06-06-2017

I'd like to see this too and technically there is no reason why it can't be done. You can do it with Portals (multiple certificates), be good for EAP too.

DJ

hslai · ‎06-07-2017

If you know any EAP server able to use two certificates, please let us know.

It's not as easy as ISE end-user facing portals, such as ISE guest portals, because the user browsers can go to different combination of FQDNs and ports and ISE is currently able to provide a different certificate for each port, as this is a fairly standard way for secure web sites. Even for web portals, ISE is not supporting server name indication (SNI) so we have to use different ports. There is nothing like such for EAP protocols, AFAIK.

In fact, you could in theory to simulate the same by directing your network devices to different PSNs and each uses a system certificate, either signed by CA-1 or by CA-2.

gbekmezi-DD · ‎06-08-2017

Can we support different EAP certificates per interface?

hslai · ‎06-08-2017

No. One EAP certificate per ISE PSN. If you need two, then use two different PSNs.

jphilp · ‎06-09-2017

Correct. I tried this on our PSN and it took the EAP role off the existing certificate just leaving EAP assigned to the new certificate.

mikoconn · ‎04-19-2018

So if I have an ISE cluster with two distinct organistions where endpoints don't trust a common CA, I can partition my PSNs such that some are used for Org 1 with a server cert from CA1 and the other PSNs used for Org 2 with server cert from CA2?

NADs from Org 1 are configured to use PSNs for Org 1, and similar arrangement for other org.

Limitation that any endpoints from Org 1 that connect to a NAD in Org 2 would still fail the certificate trust.

Assumes that admin and intra-cluster traffic uses a common cert from CA1.