Currently, we are using a Certificate on ISE that is signed by our internal Windows CA server. This cert is used for "Admin, EAP Authentication, RADIUS DTLS, Portal".
We also use a certificate from Digicert for our Guest Portal.
The issue I'm running into is for our BYOD network. Since Android 10, these devices can no longer connect to a WPA2-Enterprise Wi-Fi network where the cert is not publicly signed, or by installing certs directly onto the Android devices (*which we prefer not to do).
I'm wondering what fallout could occur by beginning to use the Digicert, instead of the internally signed cert from our Windows CA server for the Roles described above?
When we had originally setup ISE, I believe we were going to use the CA Certificates for authentication. All of our company owned laptops/desktops have certs on them from the CA server. But, I don't believe we are using those Certs for auth any longer. Is there a way to tell in ISE if those Certs are being checked during authentication?
I know on our ASA, under the AnyConnect Connection Profile, for the Authentication Method we just have that configured for "AAA" and it points to our ISE server.
In ISE, would this be found in Policy Sets > Wired/Wireless > under the Conditions column? When looking at the Policy Sets, for Wired and Wireless. Our "Compliant" Policy Set just checks if the PC is in our AD, the location of the endpoint, and its Posture status.