cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1559
Views
0
Helpful
3
Replies

ISE - Multiple Issuing Subordinate CAs for EAP Auth?

Stephen McBride
Level 1
Level 1

Is it possible to utilise multiple issuing subordinate CAs with an ISE implementation? In short I have a situation where the client is wanting to issue certificates for one group of users from CA1 and issue certificates for another group of users from CA2.

As far as I can see it is not possible to have two different server certificates installed on a policy node for the purposes of EAP authentication. Is the only way around this to install a policy node per issuing certifcate server?

3 Replies 3

Stephen McBride
Level 1
Level 1

Ok to add to this I would really like some clarification on certificate installation for the purposes of EAP-TLS. The Cisco doco is at best vague on this topic. I have a distributed deployment with 2 x Admin, 1 x monitoring and 2 x PSN. I have installed a Public HTTPS server auth cert on each device and all nodes are joined. I would now like to utilise MS CA cert infrastructure to authenticate EAP-TLS.

My understanding is that I need the MS CA Root Cert and Subordinate Cert on the Admin node with the subordinate cert ticked for trust for EAP Auth. Is there a requirement for a Server Authentication certificate on the Admin Node? Going forward with that Is there a requirement to add a server authentication certificate to the PSN Nodes?

In addition back to my first question is it possible to utilise multiple subordinate CAs for client authentication if so how as I cannot seem to click trust for EAP on multiple certs

Issue sorted.

Hi

 

Will you be able to share the solution here. I have similar requirement.

 

Regards

Ashish Shah

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: