This question is rather vague. If you have clients (endpoints) with different certificates issued from different subCAs that will be used for eap-tls auth you will need to import both certificate chains into ISE trusted certificates and ensure they are trusted for authentication within ISE.
This question is rather vague. If you have clients (endpoints) with different certificates issued from different subCAs that will be used for eap-tls auth you will need to import both certificate chains into ISE trusted certificates and ensure they are trusted for authentication within ISE.
To clarify. We have smartphones and laptops, the phones will have a CA1 and Laptops will have CA2, both with the same RootCA. I should be able to import both CAs and the RootCA and have these check which CA is valid for authentication. Correct?
It’s always useful to specify which cert is being discussed. Server cert (in ISE) or client cert (from client). The original post question may have heard/read that ISE only supports a single EAP server cert. that is true. ISE will always identify itself using the one and only EAP server cert. in most cases this is fine. But for customers who have mergers and acquisitions, having more than one server cert in the RADIUS server is handy. Clearpass 6.7 introduced that feature not too long ago.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
