ISE, Certificates and Caching Users
I am trying to implement EAP-FAST with MSCHAPv2 as inner method and so only the client connecting should have to validate the server certificate. This is succeding and failing very randomly it seems and I cannot help thinking that this might be because the client/server is caching something somewhere.
So do anyone of you know if:
-the windows machine is caching the ISE servers information anywhere?
-ISE is caching the endpoint information anywhere? I delete the EndPoints in the identity store just to make sure its removed, but it seems as ISE is still caching it somehow.
Current setup now: Using Cisco AnyConnect NAM v 4.2 with NAM Profile editor where I specified to validate the ISE certificate, and on the windows 7 machine itself I made sure that all certificates are deleted (except a VeriSign on as this is required for AnyConnect to work). The weird thing is that the EAP-FAST connection still comes up? WHY? It does not make sence! It is specified that the client needs to validate the ISE certificate before the connection is allowed.
I even had it the other way around - the ISE certificate and the RootCA certificate was locally installed on the WinClient but ISE keep saying that the client was rejecting the ISE's certificate and the connection was down - even though both the client and ISE cert thumbprint matched and all other validation methods passed. Ahh..