![]() This behavior occurs even when client certificate is signed by a different CA (different chain) than the server certificate. Microsoft Windows 7 Native supplicant configured in order to use EAP-TLS, with or without the "Simple certificate selection", does not send the full chain of the client certificate. The behavior is the same for both ACS and ISE.Ĭertificate Chain Returned by the Supplicant The ISE identity certificate (Common Name (CN)=) is returned along with Certificate Authority (CA) that signed the CN=win2012,dc=example,dc=com. The AAA server (Access Control Server (ACS) and ISE) always returns the full chain for the EAP-TLS packet with the Server Hello and the Server Certificate: It is necessary to have a good understanding of EAP and EAP-TLS in order to understand this article. CLI configuration of Cisco Catalyst switches.Configuration of the Cisco Identity Services Engine (ISE).AAA servers' behavior when they perform fragmentation of EAP-TLS packetsĬisco recommends that you have knowledge of these topics:. ![]() The RADIUS Framed-Maximum Transmission Unit (MTU) attribute.Fragmentation in IP, RADIUS, and EAP-TLS and re-assembly process performed by network access devices.Interoperability when both the Microsoft Windows Native Supplicant and the Cisco An圜onnect Network Access Manager (NAM) are used.Behavior of supplicants when they return the Client Certificate for the EAP-TLS session.Behavior of Authentication, Authorization, and Accounting (AAA) servers when they return the Server Certificate for the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) session.This document describes how to understand and troubleshoot Extensible Authentication Protocol (EAP) sessions.
0 Comments
Leave a Reply. |