pasobcam.blogg.se - Configuring eap chainning requirements on cisco ise 2.4

CONFIGURING EAP CHAINNING REQUIREMENTS ON CISCO ISE 2.4 HOW TO
CONFIGURING EAP CHAINNING REQUIREMENTS ON CISCO ISE 2.4 FULL
CONFIGURING EAP CHAINNING REQUIREMENTS ON CISCO ISE 2.4 PLUS

CONFIGURING EAP CHAINNING REQUIREMENTS ON CISCO ISE 2.4 HOW TO

The authority information access extension indicates how to access CA I always thought this extenstion is only there to get the location of the OCSP server, but. Somehow the section 4.2.2.1 of RFC3280 (CRL RFC) is describing AiA (Authority Information Access). Retrieve intermediate certificates that may be necessary to validate compliant path validation, including the ability to SHOULD support validating the peer certificate using RFC 3280 Since the EAP-TLS server is typically connected to the Internet, it Let's check the RFC 5216 (EAP-TLS for any hints):

Does the ISE perform CRL checking? Normally I would assume no, because the ISE does not support the CDP information embedded in the certificate, right?.

Does the ISE perform OCSP checking? If yes, because of the AIA information or based on the root CA setting?.

If this would be the case (the client sends the whole chain in the "client hello" message) some interesting questions arise: I newer thought of the fact, that i might be the other way around as well. We have a CWA web certificate from a public intermediate signing CA, but the client has typically and most probably only the root CA. We see it day by day when using for example CWA.

CONFIGURING EAP CHAINNING REQUIREMENTS ON CISCO ISE 2.4 FULL

I know the behavior, that the TLS server may (and should) send the full certificate chain in the TLS server hello message. Regarding the tcpdump - unfortunately not, because it was a one time occurance in a production network.īut hell - you're right.

Somehow I knew you'd respond to my question :) Thanks for that!

Is the documentation wrong? What's the expected behavior? What are your experiences? However, the corresponding root CA (ROOT-CA) is in the trusted certificate store.

Today I have a EAP-TLS authentication in my RADIUS live log, with passed EAP-TLS authentication from a issuing CA, which is not in my trusted CA certificate list (in the example above SIGN-CA-2).

CONFIGURING EAP CHAINNING REQUIREMENTS ON CISCO ISE 2.4 PLUS

> If a certificate chain consists of a root CA certificate plus one or more intermediate CA certificates, to validate the authenticity of a user or device certificate, you must import the entire chain into the Trusted Certificates Store. This also is documented in the Admin Guide: I have a question regarding the ISE behavior in combination with EAP-TLS with a PKI with multiple hierarchy levels.Ĭlient certificates are issued by SIGN-CA-1 and SIGN-CA-2.įrom the years of deep and dark ISE administration I thought, that all CA certificates must be imported into the ISE trusted CA store and marked with "Trust for client authentication" to successfully authenticate a entity with EAP-TLS.