Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco ISE NDES EAP and HTTP certificates from different CA

Hi guys, hope this is something you can help with…

  • 2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
  • AD integration with customerdomain.local
  • Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
  • Corporate authentication is using EAP-TLS which is working fine
  • BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>

I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)

I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)

The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.

As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.

This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.

Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.

Thanks

Andy

Everyone's tags (1)
1 REPLY
Community Member

I have now tested this with a

I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine.  I am wondering if this is a certificate tier length issue.  My working example has a RootCA->IssuingCA->Cert.  It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.

Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?

Thanks

329
Views
0
Helpful
1
Replies
CreatePlease to create content