cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
518
Views
0
Helpful
4
Replies

Re: EAP-TLS and PEAP certificates in ISE

alex.fana1
Level 1
Level 1

Someone has told me that you can't use multiple subCA for EAPTLS authentication. Is this true?

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
This question is rather vague. If you have clients (endpoints) with different certificates issued from different subCAs that will be used for eap-tls auth you will need to import both certificate chains into ISE trusted certificates and ensure they are trusted for authentication within ISE.

View solution in original post

4 Replies 4

Mike.Cifelli
VIP Alumni
VIP Alumni
This question is rather vague. If you have clients (endpoints) with different certificates issued from different subCAs that will be used for eap-tls auth you will need to import both certificate chains into ISE trusted certificates and ensure they are trusted for authentication within ISE.

To clarify. We have smartphones and laptops, the phones will have a CA1 and Laptops will have CA2, both with the same RootCA. I should be able to import both CAs and the RootCA and have these check which CA is valid for authentication. Correct?

Yes.

It’s always useful to specify which cert is being discussed. Server cert (in ISE) or client cert (from client). The original post question may have heard/read that ISE only supports a single EAP server cert. that is true. ISE will always identify itself using the one and only EAP server cert. in most cases this is fine. But for customers who have mergers and acquisitions, having more than one server cert in the RADIUS server is handy. Clearpass 6.7 introduced that feature not too long ago.