Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
1
Replies

Cisco ISE NDES EAP and HTTP certificates from different CA

andyirving
Level 1
Level 1

‎01-27-2014 09:47 AM - edited ‎03-10-2019 09:19 PM

Hi guys, hope this is something you can help with…

  • 2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
  • AD integration with customerdomain.local
  • Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
  • Corporate authentication is using EAP-TLS which is working fine
  • BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>

I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)

I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)

The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.

As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.

This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.

Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.

Thanks

Andy

1 person had this problem
Labels:
0 Helpful
1 Reply 1

andyirving
Level 1
Level 1

‎03-10-2014 03:46 AM

I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine.  I am wondering if this is a certificate tier length issue.  My working example has a RootCA->IssuingCA->Cert.  It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.

Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents