Grateful for your response Rob.  I have configured supplicant using smartcard/certificate method, EAP authentication method, and checked the GoDaddy root authority in the trust store, but no luck.

1.) So I guess there is some confusion about what cert and where it needs to be installed on the endpoint. I have not loaded anything relative to my client EAP certificate in the computer or user 'personal' folders (see attached). Just the root and intermediate Go Daddy certs in the trusted store on my endpoint which are checked for trusted.

2.) is the generic GoDaddy root certificate enough or do I need to install my client EAP cert in one of the folders also? I;m confused on the flow. I will try to learn how to do a packet capture to capture the conversation.

@siryonz of those 3 certificates in the personal certificate store, doe ISE trust those CAs? You can see what authentication method and what certificate was used by your wireless clients by looking in the ISE live logs for an authentication session.

You can also check your authentication configuration settings on client supplicant to confirm what is configured and mirror that for the wired interface configuration.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

https://community.cisco.com/t5/security-knowledge-base/how-to-implement-digital-certificates-in-ise/ta-p/3630897

Rob,

No, none of those are trusted on ISE. So do I need to install my EAP client cert (trusted and exported from ISE) into the personal certificate store for this to work?  I was under the impression just the root Godaddy cert into trusted store and the intermediate into trusted store and, like wireless, ISE will present my client cert to endpoint for trust upon authentication.

@siryonz

You don't need to export the EAP certificate used by ISE and import to the clients. If the client trusts the public GoDaddy certificate they can validate ISE's certificate. If the client has a certificate issued by another CA, then ISE needs to trust those CAs in order for ISE to validate the client certificates (import to ISE's trusted certificate store).

Detemine how it's currently working for wireless authentication and mirror this, assume it's configured correctly. Did you check the ISE logs to confirm how those clients are authenticated and which CA is in use?

ok to be safe. I will make sure GoDaddy is trusted in both intermediate and root stores. I will do this in both user and computer certificate stores. As for live logs, I do not see anything relevant to a CA. I see an EAP key and also see user and group results from AD which we use to resolve identities.

@siryonz GoDaddy is not the CA that issued the client certificate, what ever CA issued the certificate in the user/machine Personal store is what you need to import to ISE trusted store.

If you are already using certificates for wireless authentication, then ISE should already trust that certificate!!

Have you looked at the wireless authentication settings in the client to confirm what is configured?

What authentication method is used? Definitely EAP-TLS? Or PEAP/MSCHAPv2? Provide the output for review.