Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
5
Helpful
1
Replies

migrating ISE to a new PKI service

martucci
Cisco Employee
Cisco Employee

‎07-30-2018 03:20 AM - edited ‎03-11-2019 01:47 AM

 First Apologies if this is a duplicate. I thought I post it earlier, but I canot see it, so I guess I did something wrong.

 

I have a customer that needs to migrate ISE to a new PKI service using a process that has minimal service impact.

I was wondering if there is any specific guideline I can give them, as I do not have much real life experience on this. Thanks

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎07-30-2018 03:56 AM

Hi,
I assume you are referring to EAP authentication? Ultimately ISE and the client computers needs to trust the root certificate in use for authentication. So you'd need to upload the Tursted Root and Intermediate Root certificates to ISE and the client computers must also have these Root and Intermediate Root certificates in their machine store. If this is in place you can generate a CSR from the new CA, issue certificates to ISE and bind the certificate. As the client computers trust this CA, authentications should continue to work.

Also check the Authorization policies to check if their are any rules specifically referencing the old CA e.g. "Issued By"

HTH
Customers Also Viewed These Support Documents