Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Remove EAP from ISE Server Certificate

I've installed GoDaddy server certificates on all my ISE 1.1.1 nodes, but clients are still getting error and accepting certificates.  I would like to just remove EAP from the certificate and not use any certificate for EAP.                    

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Remove EAP from ISE Server Certificate

Hi,

I'm pretty sure that you have to use a certificate for EAP whether it is a self-signed one or an internal CA or 3rd party certificate, but I could be wrong.  To remove using EAP from your GoDaddy Certificate simply edit another certificate and check the box for EAP.  The application server will restart and the new certificate will now be used for EAP.

If you get an error on Microsoft PCs saying somthing about the server not being a trusted NPS server then you can try adding the GoDaddy root certificate to your internal PKI NTAuth store. See this article: 

http://support.microsoft.com/kb/2518158?wa=wsignin1.0

Community Member

Remove EAP from ISE Server Certificate

Explain the issue in more detail. Are you trying to use Guest or 802.1x. THere are many authentication protocols that you could use for EAP. TLS and PEAP require the use the the cert. What you trying to accomplish and what are the issues?

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
4 REPLIES

Re: Remove EAP from ISE Server Certificate

Hi,

I'm pretty sure that you have to use a certificate for EAP whether it is a self-signed one or an internal CA or 3rd party certificate, but I could be wrong.  To remove using EAP from your GoDaddy Certificate simply edit another certificate and check the box for EAP.  The application server will restart and the new certificate will now be used for EAP.

If you get an error on Microsoft PCs saying somthing about the server not being a trusted NPS server then you can try adding the GoDaddy root certificate to your internal PKI NTAuth store. See this article: 

http://support.microsoft.com/kb/2518158?wa=wsignin1.0

Community Member

Remove EAP from ISE Server Certificate

Explain the issue in more detail. Are you trying to use Guest or 802.1x. THere are many authentication protocols that you could use for EAP. TLS and PEAP require the use the the cert. What you trying to accomplish and what are the issues?

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
Community Member

Remove EAP from ISE Server Certificate

thank you for your answers.  The issue was caused more by not having the root certificate from GoDaddy in the Certificate Store.  I was able to move EAP to another self signed certificate like you suggested though.   A call to TAC confirmed it all.

Thanks

Cisco Employee

Remove EAP from ISE Server Certificate

so yes if you have "validate server certificate" option checked on your end clients then in order to authenticate with peap you should have the complete certificate chain installed on the end client under certificate store. With this option unchecked you can still authenticate without root/intermediate but that would not be a secure connection.

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

http://support.microsoft.com/kb/814394

My 2 cents

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal
493
Views
0
Helpful
4
Replies
CreatePlease to create content