Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
2
Replies

Design considerations for supporting multiple trusted CAs for EAP-TLS in ISE

matthen
Cisco Employee
Cisco Employee

‎09-28-2018 08:16 AM - edited ‎03-11-2019 01:50 AM

I have a customer that is migrating from an existing external CA to a new external CA.  They're currently using their existing CA for EAP-TLS and they want to add the new CA to ISE, so essentially authenticate with both CAs during the migration.  Can they just add the cert chain for the new CA, generate and sign a CSR, import the new cert, and mark it to be used for authentication?  Is there anything else that needs to be done or any design considerations that they need to be aware of?

0 Helpful
2 Replies 2

gbekmezi-DD
Level 5
Level 5

‎09-28-2018 08:44 AM

That’s pretty much it. If you don’t care which CA issued the client’s certificate you shouldn’t have to do anything else.
0 Helpful

thomas
Cisco Employee
Cisco Employee

‎09-30-2018 12:09 PM

Yes, you can change the ISE cert with the simple import for authentication and it will be fine.

The only other consideration is will your endpoints trust the new cert chain?

If the endpoints do not have the new CA in their trusted store they may reject any authentication attempts from ISE signed by the new CA.

0 Helpful
Customers Also Viewed These Support Documents