cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
330
Views
0
Helpful
2
Replies
Cisco Employee

Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

I have a customer that is migrating from an existing external CA to a new external CA.  They're currently using their existing CA for EAP-TLS and they want to add the new CA to ISE, so essentially authenticate with both CAs during the migration.  Can they just add the cert chain for the new CA, generate and sign a CSR, import the new cert, and mark it to be used for authentication?  Is there anything else that needs to be done or any design considerations that they need to be aware of?

Everyone's tags (4)
2 REPLIES 2
Contributor

Re: Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

That’s pretty much it. If you don’t care which CA issued the client’s certificate you shouldn’t have to do anything else.
Highlighted
Cisco Employee

Re: Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

Yes, you can change the ISE cert with the simple import for authentication and it will be fine.

The only other consideration is will your endpoints trust the new cert chain?

If the endpoints do not have the new CA in their trusted store they may reject any authentication attempts from ISE signed by the new CA.

Everyone's tags (6)