Cisco ISE NDES EAP and HTTP certificates from different CA
Hi guys, hope this is something you can help with…
2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
AD integration with customerdomain.local
Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
Corporate authentication is using EAP-TLS which is working fine
BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>
I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)
I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)
The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.
As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.
This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.
Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.
I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine. I am wondering if this is a certificate tier length issue. My working example has a RootCA->IssuingCA->Cert. It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.
Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...