Showing results for 
Search instead for 
Did you mean: 

Changing ISE Certificate for EAP Auth Role

Matthew Martin

Hello All,

ISE v2.7

Currently, we are using a Certificate on ISE that is signed by our internal Windows CA server. This cert is used for "Admin, EAP Authentication, RADIUS DTLS, Portal".

We also use a certificate from Digicert for our Guest Portal.

The issue I'm running into is for our BYOD network. Since Android 10, these devices can no longer connect to a WPA2-Enterprise Wi-Fi network where the cert is not publicly signed, or by installing certs directly onto the Android devices (*which we prefer not to do).

I'm wondering what fallout could occur by beginning to use the Digicert, instead of the internally signed cert from our Windows CA server for the Roles described above?

When we had originally setup ISE, I believe we were going to use the CA Certificates for authentication. All of our company owned laptops/desktops have certs on them from the CA server. But, I don't believe we are using those Certs for auth any longer. Is there a way to tell in ISE if those Certs are being checked during authentication?

I know on our ASA, under the AnyConnect Connection Profile, for the Authentication Method we just have that configured for "AAA" and it points to our ISE server.

In ISE, would this be found in Policy Sets > Wired/Wireless > under the Conditions column? When looking at the Policy Sets, for Wired and Wireless. Our "Compliant" Policy Set just checks if the PC is in our AD, the location of the endpoint, and its Posture status.

Any help would be appreciated!

Thanks in Advance,

7 Replies 7

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Matthew Martin it's probably the EAP certifcate causing a problem with the Anrdoid devices, it's common to use a public CA to sign the EAP certificate nowadays.

Refer to this Cisco ISE certificates guide for more information

For the Wired/Wireless authentication, what protocol are you using EAP-TLS or PEAP/MSCHAPv2? If using PEAP/MSCHAPv2 then the client would just need to trust the CA signing the ISE EAP certificate.

Thanks for the reply Rob. I will check out that link.

We are using PEAP/MSCHAPv2. So if using a publicly signed Cert, like DigiCert, the clients should automatically trust this cert?

Thanks Again,