Solved: Re: Cisco ISE 3.2 Multiple Microsoft Domain Join with not Trust Eachot

ifabrizio · ‎05-07-2024

Dear All,

I am planning to join a new Domain to my Cisco ISE enviroment.

Now I already have a MS Domain Joined, and I use ISE to perform AAA, on the Devices and Users.

I am using TEAP with EAP-TLS as inner method. It works well.

But when I have added a new Domain that is not trusted with the first one alredy joined.

I see that ISE can handle only the certificates about the first Domain, and if I try to add the new domain certificates, ISE propose me to replace the first domain certificates.

My final goal is to perform AAA with devices and Users in the new doamin. As I have already done with the first Domain. Is it possible?

Bye,

JF.

Arne Bier · ‎05-07-2024

Hi @ifabrizio

I wanted to check on some of the wording in your question, in order to understand your question better. When you talk about "trusting Domains" and "handle certificate of the first Domain", I believe you are referring to the ISE System Certificate that handles the EAP Server Hello function. You are correct about ISE only supporting one EAP System Certificate per PSN. The PSN only has one Certificate with which it can identify itself (TLS Server Hello) to EAP supplicants. There is no way around this unfortunately. Aruba Clearpass famously supports multiple EAP Server Certificates, therefore it should be possible for Cisco to offer this in ISE - perhaps submit a feature request. You won't be the first person to ask for this.

Suggestions:

Point the NAS to another PSN which has a EAP Server Certificate trusted by the other supplicants. In other words, you can have more than one PSN running, and each PSN can have its own unique EAP Server Certificate to serve a purpose.
In your clients (supplicants), install the Root CA and Issuing CA used to create the ISE EAP Cert. You just have to add them into the Trust store of the clients. And also ensure that the clients are not configured to only trust a particular CA chain.

View solution in original post

Arne Bier · ‎05-07-2024

Hi @ifabrizio

I wanted to check on some of the wording in your question, in order to understand your question better. When you talk about "trusting Domains" and "handle certificate of the first Domain", I believe you are referring to the ISE System Certificate that handles the EAP Server Hello function. You are correct about ISE only supporting one EAP System Certificate per PSN. The PSN only has one Certificate with which it can identify itself (TLS Server Hello) to EAP supplicants. There is no way around this unfortunately. Aruba Clearpass famously supports multiple EAP Server Certificates, therefore it should be possible for Cisco to offer this in ISE - perhaps submit a feature request. You won't be the first person to ask for this.

Suggestions:

Point the NAS to another PSN which has a EAP Server Certificate trusted by the other supplicants. In other words, you can have more than one PSN running, and each PSN can have its own unique EAP Server Certificate to serve a purpose.
In your clients (supplicants), install the Root CA and Issuing CA used to create the ISE EAP Cert. You just have to add them into the Trust store of the clients. And also ensure that the clients are not configured to only trust a particular CA chain.

ifabrizio · ‎05-09-2024

Hi Arne,

Thank you for your support.

Yes you have understood my question correctly. i will go to compare ClearPass with ISE to see which product is more suitable for my company.

Bye,

JF.

Cisco ISE 3.2 Multiple Microsoft Domain Join with not Trust Eachothers