Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
0
Helpful
2
Replies

popup prompt on client machine after EAP certificate renewal (eap-tls)

devendran.raju
Level 1
Level 1

‎11-08-2023 08:17 AM

We are using external CA signed certificate in ISE for admin, EAP, & portal (posture). We are planning to install renewed certificate in ISE as existing certificate is expiring soon.

We have renewed the new certificate with the same Common Name and signed by same external public CA to avoid any popup prompt on end user machine to trust the certificate. But in the renewed certificate, one of the intermediate certificate is changing (issuer CA) when we compare the certificate chain path. Other than 1 intermediate CA cert, all other certificates are same as old cert chain path.

Our question is whether any popup prompt to accept/trust new certificate is expected on the user machine during the wired / wireless eap-tls negotiation even though it is signby same external CA authority?

Existing Certificate's certificate path:
nac.ISE certificate >> Trusted Secure Certificate Authority 5 >> USERTrust RSA Certification Authority >> AAA Certificate Services

New Certificate's certificate path:
nac.ISE certificate >> Corporation Service Company RSA OV SSL CA >> USERTrust RSA Certification Authority >> AAA Certificate Services

0 Helpful
2 Replies 2

andrewswanson
Level 7
Level 7

‎11-08-2023 08:36 AM

Hi

Have a look at the following blog on "alternate trust paths (or chains)". This may explain some of the behaviour that you are seeing with some clients.

https://scotthelme.co.uk/building-certificate-chains/

 

some details on AAA specifically are here:

https://www.tbs-certificates.co.uk/FAQ/en/racine-USERTrustRSACertificationAuthority.html

 

hth
Andy

0 Helpful

andrewswanson
Level 7
Level 7

‎11-09-2023 06:44 AM

Just to clarify my last post - my understanding of Alternate Certificate Paths and the AAA CA is below.

andrewswanson_0-1699541004012.png

 

  • Do you have the top "path" (AAA as root CA) in ISE Trusted Certificates?
  • If so, are your 802.1x supplicants configured to verify server identity (Using AAA root CA)?

Windows clients use the bottom "path" (USERTrust as root CA) so I was thinking that you may have got the certificate popup due to the supplicants verifying the ISE EAP certificate using the wrong root CA.

hth
Andy

0 Helpful
Customers Also Viewed These Support Documents