Currently the workstations have been configured are all working fine with a legacy SHA1 certificate and PEAP-TLS but the Avaya ip phones do not authenticate with the error “12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate”.

customer situation:

One issue is that the phones currently use a SHA256 certificate for EAP-TLS and the workstations use SHA1. We are due to upgrade to SHA256 for the workstations in the coming months but have an issue with compatibility as currently a 4.2 ACS server which is currently in place does not work on 2008R2 potentially breaking our radius authentications.

So the plan was to replace ACS with ISE and then upgrade the certificate server when we hit the current issue. Is it possible to have 2 different EAP-TLS authentication certificates? I did attempt this but when I go to bind the cert ISE states that this will override the current binding. Otherwise is there a temporary solution to MAB the ip phones and dot1x the workstations?