Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4566
Views
0
Helpful
10
Replies

Multiple EAP certificates in ACS 5.2

magnus.jagevall
Level 4
Level 4

‎02-11-2011 06:44 AM - edited ‎03-10-2019 05:49 PM

I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.
Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.

I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.

I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.

The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.

Is the ACS5.2 only able to have one certificate enabled at the time for EAP?

Labels:
0 Helpful
10 Replies 10

slawford
Cisco Employee
Cisco Employee

‎02-17-2011 09:53 PM

Hi Magnus,

There is an option to allow other certificate authorites for EAP-TLS under the "Certificate Authorities" section of the "Users and Identity Stores" as in the screenshot below:


Please let me know how you go, or if you have any questions.

Steve.

0 Helpful

magnus.jagevall
Level 4
Level 4
In response to slawford

‎02-18-2011 06:44 AM

Hello

That option is enabled.

However, if the certificate isn't enabled for EAP in "Local Certificates" it does not work.

Depending on with certificate is enabled for EAP (in Local Certificates in System Adminstratin), EAP-TLS or PEAP works fine but not at the same time.

//Magnus

0 Helpful

pic_whizz
Level 1
Level 1
In response to magnus.jagevall

‎04-23-2012 04:17 AM

Hi All,

Did this ever get resolved? I too have the same issue.

Any help much appreciated.

Cheers,

Matt

0 Helpful

jan.nielsen
Level 7
Level 7
In response to pic_whizz

‎04-24-2012 01:30 PM

You can't have more than one cert for eap authentication of clients, you need to use a public ca trusted cert like verisign for both PEAP and EAP-TLS. I believe this is a limitation in both ACS 5.x and ISE for the moment.

When using a public certificate as opposed to one you issued from your internal PKI, Your EAP-TLS clients need to have the Verisign Root CA's marked as trusted in the GPO where you configure EAP-TLS, check your cert for the issuers, and your peap users, should do the same, however in PEAP, users often choose to ignore this as their settings are not locked by GPO. This solution works fine for me.

EAP-TLS Screenshot in windows 7 :

0 Helpful

Simon Parlsjo
Level 1
Level 1

‎11-14-2012 12:52 AM

Bump!

Did you guys find a sulution to this?

I'm in a situation right now that would have been easily resolved if the ISE had support for multiple certificate (when using EAP).

We have an internal CA that we are about to use in an EAP-TLS 802.1x implementation and one that is based on PEAP. Computers that use PEAP are not managed by us so we have no good way of pushing a root-certificate to them.

Is it possible to use a public-signed server-certificate on the ISE. and still use internally signed certifcate for clients when using EAP-TLS. So both PEAP and EAP-TLS computers can verify the ISE certificate.

I'm sorry for stealing the thread but I'm hoping for som help!

//Simon Pärlsjö - Sweden

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Simon Parlsjo

‎11-14-2012 06:52 AM

Hi Simon,

What you wan't to do, is not supported using two certificates on the ACS/ISE server, only one can be used for EAP (PEAP & TLS), so like i described : use a public cert for your ISE, this will work as it's already trusted in the cert stores on devices, as long as you install the root and the issuers certs from your internal pki to validate your eap-tls clients that then can use your local pki for eap-tls.

0 Helpful

Simon Parlsjo
Level 1
Level 1
In response to jan.nielsen

‎11-15-2012 04:01 AM

Thanks Jan, for clarifying this for me!

If I have two Cisco ISE in HA I guess both of them requires a public signed certificate. Correct?

And the hostname for both of them would have to be something like ise01.abc.com and not ise01.abc.local. Right?

Does Cisco have a SSL partner for certificates? It would be nice if you could get some discount!

I'm running a small lab on the EAP-TLS part already, is there something special I need to configure when I change the ISE certificate to a public one instead of my CA signed certificate?

//Simon

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Simon Parlsjo

‎11-17-2012 03:30 PM

If they are both running the policy service then yes.

Your hostname needs to be the same as what you put in your certificate, however i usually go for the SAN certificate trick, where you can have multiple names in one certificate, there is a guide on here somewhere as how to create that cert request for ISE.

I don't think there are any discount deals with cisco :-)

You will probably need to change your dot1x settings on your pc, to trust the new issuer.

0 Helpful

Simon Parlsjo
Level 1
Level 1
In response to jan.nielsen

‎11-19-2012 08:06 AM

Thanks!

I guess you mean this:

http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080bd0953.shtml

How does the guestportal work in a distributed environment? Do I use the same DNS name for each ISE or are these different on each ISE?

If i use the method above, how should I define my CSR for each certificate?

How do licensing work in a vmware ISE? Does the hardware serial change when I reinstall the ISE and how would this affect my bought license?

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Simon Parlsjo

‎11-19-2012 02:34 PM

Yes, exactly the guide i was referring to.

In a distributed environment the ISE server that gets the RADIUS request from your switch/wireless contr. will send it's own EAP certificate to the client. You need unique fqdn for each ise server, otherwise you won't be able to join them together. The servers fqdn (hostname.domainname) should also be the CN in your cert request, and the first entry in your SAN attributes.

So lets say you had two ISE servers :

Server 1 :

FQDN : gateway1.customer.publicdomain.com

SAN DNS.1 : gateway1.customer.publicdomain.com

SAN DNS.2 : internalname1.internaldom.local

Server 2

FQDN : gateway2.customer.publicdomain.com

SAN DNS.1 : gateway2.customer.publicdomain.com

SAN DNS.2 : internalname2.internaldom.local

My own openssl template looks like this :

[ req ]

default_bits        = 2048

default_keyfile     = newkey.pem

distinguished_name  = req_distinguished_name

req_extensions     = req_ext

[ req_distinguished_name ]

commonName            = Common Name (eg, YOUR name)

commonName_max        = 100

stateOrProvinceName        = State (ST=)

localityName            = Locality (L=)

organizationName        = Orgname (O=)

organizationalUnitName    = Orgname (OU=)

countryName        = Country (C=)

[ req_ext ]

subjectAltName          = @alt_names

[alt_names]

DNS.1   = gateway1.publicdomain.com

DNS.2   = ise01.internaldom.local

......

Also you could add names for the sponsor portal, and mydevices here in the alt_names section if you wish, this will allow you to use a simpler url for guest sponsors and device registration.

With regards to licenses, i think you will get a different serial number if you reinstall ISE. So always keep a VM backup once you installed your licenses.

Hope this clears it up for you

0 Helpful
Customers Also Viewed These Support Documents