Hi ahollifield,

Because the ISE server would also be signing certs for EAP-TLS for BYOD devices and those devices are not going to be joined to the domain or an MDM.

In our future deployment, ISE would also presumably be doing 802.1x wired port authentication for non-BYOD devices (domain-joined PCs, VoIP phones, access points, and any other device we own that can support that security level).  This is what I'm trying to figure out.. what is the design to be able to do both.

Our current test is indeed running an ISE certificate generated with an Intermediate Cert CSR from ISE and was signed by our AD CA root cert.  The BYOD Prescriptive Deployment Guide describes this as a Subordinate CA I believe.  When I imported that cert to fulfill the CSR on ISE, it set that cert up to sign EAP-TLS device certificates for devices going through the BYOD flow.

I certainly could use my AD CA for everything as I understand that one of the ISE protocols for this is to not sign things itself but, instead, to pass on all signing requests to the AD CA server (described in the guide as SCEP Proxy).  However, my understanding was that this is legacy and perhaps not recommended now?

The point that I'm confused on is, if using the Subordinate CA method, ISE needs to sign those certs for all devices being authenticated with 802.1x certificates on the network, whether they're BYOD or institution owned.  The BYOD devices have an onboarding procedure that can be accomplished by the individual device owners but I'm trying to figure out what you do for the institution-owned devices in a more scalable and easy-to-deploy way.  I can't imagine each has to be individually onboarded... I assume you have to generate a non-device-specific common cert on ISE and deploy it on these other platforms or like a Cisco WLC and let it handle handing out certs to the individual APs for example.

Or perhaps the recommended solution is the use the SCEP Proxy and let everything be done on the AD CA but I haven't found any documentation stating that this is the way it needs to be done.

It varies widely based on device.  Domain joined PCs you use group policy to auto enroll in the PKI and receive their certificate and supplicant config.  Last I checked a Cisco AP does not support EAP-TLS, Meraki APs have no concept of a wired 802.1x supplicant at all.  I'm not sure the process for CUCM phones but I know they do support EAP-TLS.

ISE is not designed to be used as an enterprise CA.  It should not the SCEP relay point for certificate deployment, this should exist on your PKI deployment itself, not on ISE.  ISE already trusts everything signed by that CA (since you have imported the trust chain into ISE).

Thanks for the response.

I guess this is the point of confusion for me and probably something I'm missing in my understanding of the certificate chains and how they work in this scenario.

Which certificate should be configured on ISE to do be the EAP cert used for the server side in the EAP-TLS exchange?  On my lab setup, I have it set up to the be same intermediate/sub-CA cert that ISE is using to sign BYOD device certs.

If other devices in our infrastructure (non-BYOD) are not getting certificates signed by ISE and, instead, are getting certificates signed directly from the AD CA root, they would have a slightly different certificate chain.. same root but minus the ISE intermediate cert.

Keeping that in mind, if I plug in a domain-joined PC to a ISE-protected wired port configured for 802.1x, it's going to have to negotiate with the EAP auth cert on ISE.  Will it trust the ISE intermediate/sub-CA as the server-side cert in the 802.1x auth process?  Or does it have to be one in the chain of the device certificate it has installed (such as using a copy of the AD CA root certificate as the server-side EAP auth certificate in ISE)?