ISE with two PKI enterprise servers

guycharleskouakou · ‎01-16-2014

Hi,

I have to install Cisco ISE for one of my customer.

this customer has two enterprise PKI.

one PKI deliver a certificate for a group of user and the second PKI deliver a certificate for the others user.

In this case how to do? do have need to add the two enterprise pki certificate in each Cisco ISE? the ISE need to have

two certificates one from each PKI server?

what I have already done is to configure cisco ISE with only one enterprise PKI.

Guy charles

Tarik Admani · ‎01-16-2014

Do both users group trust each of the enterprise CA certs?

Are the two user groups in the same ad environment and are you planning on differentiated access based on AD groups?

Also you will need to import the root and intermendiate CA from both environments and select trust for client authentication.

Sent from Cisco Technical Support Android App

guycharleskouakou · ‎01-16-2014

Do both users group trust each of the enterprise CA certs?

No, but I can ask to the customer to do it if it is a right solution.

Are the two user groups in the same ad environment and are you planning on differentiated access based on AD groups?

the two user groups are in the same ad environment, yes i am planning to do access based on ad groups.

Tarik Admani · ‎01-18-2014

The reason I asked if both pki groups trusted on another is because of certificate validation. ISE only allows you to use 1 certificate for the eap interface and will need to be trusted for both groups.

Sent from Cisco Technical Support Android App