Symptom

When a Symantec certificate is used for ISE validation, the client will throw an error that the Symantec root CA is not trusted. As a result, when an end user connects to ISE for the first time, they get the "Certificate is not trusted" error. This error can be a little confusing and unnerving to those that do not know why it's getting thrown.

Conditions

To reproduce this issue, simply use a Symantec CA generated certificate for EAP or HTTPS authentication on ISE. Then, try to authenticate and observe what error is thrown. Next, look at your local certificate store to see what root CAs are already there. The Symantec root CA is probably missing.

Workaround

A simple workaround is to install the Symantec root CA into each node that is authenticating against ISE.

Further Problem Description