Someone else can chime in

cmonks119 · ‎03-02-2015

I am looking for a workaround for the ACS limitation of only having one EAP certificate.

Currently, we have ACS running with a PUBLIC Trusted CA cert, serving PEAP-MS Chap clients.

We need to add support (on a separate SSID) for mobile devices to perform EAP-TLS certificate-based authentication using INTERNAL CA user/device certs pushed out by MDM.

Since we cannot apply both PUBLIC and INTERNAL certs to EAP in ACS, what are the options?

I have seen just a couple of references to a similar setup here on the forums, with a suggestion to use PUBLIC cert for EAP in ACS, and make sure both PUBLIC and INTERNAL CA roots and issuer certs are installed. What I haven't found a clear explanation on is whether this will allow devices with INTERNAL user/device certs to authenticate against the PUBLIC ACS EAP cert?

Any explanation on this (or better yet working examples) would be much appreciated.

nspasov · ‎03-03-2015

Someone else can chime in here to correct but I don't believe there is a workaround for this. Both ISE and ACS can only have one certificated coupled to the EAP protocol.

Thank you for rating helpful posts!

cmonks119 · ‎03-04-2015

Yes, I understand the part about only being able to bind one EAP cert in ACS.

These are the posts that seem a bit confusing to me:

https://supportforums.cisco.com/discussion/11114321/multiple-eap-certificates-acs-52

What you wan't to do, is not supported using two certificates on the ACS/ISE server, only one can be used for EAP (PEAP & TLS), so like i described : use a public cert for your ISE, this will work as it's already trusted in the cert stores on devices, as long as you install the root and the issuers certs from your internal pki to validate your eap-tls clients that then can use your local pki for eap-tls.

https://supportforums.cisco.com/discussion/12081516/use-acs-54-tls-authentication-certificate-not-chain

yes you can use an external/public CA for EAP-TLS. Just make sure you have the complete certificate chain installed on the client and the server (including intermediate certificate).

cmonks119 · ‎03-06-2015

For anyone else looking into this, it looks like it does work.

On ACS, under Certificate Authorities, Install your Public Root CA and any intermediates. Also install or Internal PKI Root CA and any intermediates. On your client machines, make sure they trust the Public CA (install manually if not using a trusted one), and install their Internal PKI user cert.

I was testing with an iPhone, so I configured a new wireless profile with EAP-TLS, and it asks you which identity cert you want to use, select the Internal PKI user cert. The client then authenticates ACS via the Public cert, then passes the User cert and authenticates against the Internal CA on ACS. You are then authenticated, assuming your authorization profiles are configured correctly.

debaker · ‎04-27-2015

Any examples on how to do this? What I have done so far is to set up an ssid which uses AD auth to verify use membership to log into this ssid.This is a byod ssid. Problem being the same users can using their same credential login into my trusted ssid using their ad credentials.

I need to be able to not allow their personal devices on my trusted network and just keep those on the BYOD network. will doing what is discussed above work for this?

ACS, EAP-TLS Wireless with Public/Internal Certs