Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1702
Views
0
Helpful
4
Replies

Remove EAP from ISE Server Certificate

Go to solution
rdotson
Level 1
Level 1

‎10-17-2013 12:13 PM - edited ‎03-10-2019 09:00 PM

I've installed GoDaddy server certificates on all my ISE 1.1.1 nodes, but clients are still getting error and accepting certificates.  I would like to just remove EAP from the certificate and not use any certificate for EAP.                    

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎10-17-2013 12:23 PM

Hi,

I'm pretty sure that you have to use a certificate for EAP whether it is a self-signed one or an internal CA or 3rd party certificate, but I could be wrong.  To remove using EAP from your GoDaddy Certificate simply edit another certificate and check the box for EAP.  The application server will restart and the new certificate will now be used for EAP.

If you get an error on Microsoft PCs saying somthing about the server not being a trusted NPS server then you can try adding the GoDaddy root certificate to your internal PKI NTAuth store. See this article: 

http://support.microsoft.com/kb/2518158?wa=wsignin1.0

View solution in original post

0 Helpful

Go to solution
Jim Thomas
Level 4
Level 4

‎10-17-2013 12:25 PM

Explain the issue in more detail. Are you trying to use Guest or 802.1x. THere are many authentication protocols that you could use for EAP. TLS and PEAP require the use the the cert. What you trying to accomplish and what are the issues?

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jj27
Spotlight
Spotlight

‎10-17-2013 12:23 PM

Hi,

I'm pretty sure that you have to use a certificate for EAP whether it is a self-signed one or an internal CA or 3rd party certificate, but I could be wrong.  To remove using EAP from your GoDaddy Certificate simply edit another certificate and check the box for EAP.  The application server will restart and the new certificate will now be used for EAP.

If you get an error on Microsoft PCs saying somthing about the server not being a trusted NPS server then you can try adding the GoDaddy root certificate to your internal PKI NTAuth store. See this article: 

http://support.microsoft.com/kb/2518158?wa=wsignin1.0

0 Helpful

Go to solution
Jim Thomas
Level 4
Level 4

‎10-17-2013 12:25 PM

Explain the issue in more detail. Are you trying to use Guest or 802.1x. THere are many authentication protocols that you could use for EAP. TLS and PEAP require the use the the cert. What you trying to accomplish and what are the issues?

Jim Thomas
Cisco Security Course Director
Global Knowledge
CCIE Security #16674

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674
0 Helpful

Go to solution
rdotson
Level 1
Level 1

‎10-17-2013 01:44 PM

thank you for your answers.  The issue was caused more by not having the root certificate from GoDaddy in the Certificate Store.  I was able to move EAP to another self signed certificate like you suggested though.   A call to TAC confirmed it all.

Thanks

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to rdotson

‎10-18-2013 02:05 AM

so yes if you have "validate server certificate" option checked on your end clients then in order to authenticate with peap you should have the complete certificate chain installed on the end client under certificate store. With this option unchecked you can still authenticate without root/intermediate but that would not be a secure connection.

Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS

http://support.microsoft.com/kb/814394

My 2 cents

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents