05-07-2024 01:20 AM
Dear All,
I am planning to join a new Domain to my Cisco ISE enviroment.
Now I already have a MS Domain Joined, and I use ISE to perform AAA, on the Devices and Users.
I am using TEAP with EAP-TLS as inner method. It works well.
But when I have added a new Domain that is not trusted with the first one alredy joined.
I see that ISE can handle only the certificates about the first Domain, and if I try to add the new domain certificates, ISE propose me to replace the first domain certificates.
My final goal is to perform AAA with devices and Users in the new doamin. As I have already done with the first Domain. Is it possible?
Bye,
JF.
Solved! Go to Solution.
05-07-2024 02:35 PM
Hi @ifabrizio
I wanted to check on some of the wording in your question, in order to understand your question better. When you talk about "trusting Domains" and "handle certificate of the first Domain", I believe you are referring to the ISE System Certificate that handles the EAP Server Hello function. You are correct about ISE only supporting one EAP System Certificate per PSN. The PSN only has one Certificate with which it can identify itself (TLS Server Hello) to EAP supplicants. There is no way around this unfortunately. Aruba Clearpass famously supports multiple EAP Server Certificates, therefore it should be possible for Cisco to offer this in ISE - perhaps submit a feature request. You won't be the first person to ask for this.
Suggestions:
05-07-2024 02:35 PM
Hi @ifabrizio
I wanted to check on some of the wording in your question, in order to understand your question better. When you talk about "trusting Domains" and "handle certificate of the first Domain", I believe you are referring to the ISE System Certificate that handles the EAP Server Hello function. You are correct about ISE only supporting one EAP System Certificate per PSN. The PSN only has one Certificate with which it can identify itself (TLS Server Hello) to EAP supplicants. There is no way around this unfortunately. Aruba Clearpass famously supports multiple EAP Server Certificates, therefore it should be possible for Cisco to offer this in ISE - perhaps submit a feature request. You won't be the first person to ask for this.
Suggestions:
05-09-2024 11:38 PM
Hi Arne,
Thank you for your support.
Yes you have understood my question correctly. i will go to compare ClearPass with ISE to see which product is more suitable for my company.
Bye,
JF.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide