topic wireless Authentication problem in ISE version 2.0.0.306 in Network Security

wireless Authentication problem in ISE version 2.0.0.306

mostafashoaei — Mon, 06 Mar 2017 09:27:53 GMT

Hi guys,

I had a Cisco ISE 2.0.0.306,

I config authentication on wired and wireless, wired authentication works exactly, however wireless authentication gave following problem:

Failure Reason: 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

Resolution: Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

Root cause: PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

I have been attached screen shot of error, please attention to it.

note: I have run a new version of Cisco ISE(2.2.0.470) and works exactly.

both of ISE have same configuration.

I have changed the certificates of ISE but it doesn't work still.

Can you tel me, whether this is a bug in this version?

please help me,

Thanks a lot

Re: wireless Authentication problem in ISE version 2.0.0.306

thomas — Mon, 06 Mar 2017 17:51:33 GMT

99% of the time this is because the endpoint does not trust the certificate provided by ISE. This is because you are

1) using a self-signed certificate or

2) the endpoint does not trust one of the signers in the certificate chain

Either you are not using a public CA to sign the ISE certificate or the wireless endpoint does not have your enterprise CA certificate installed in its trust store.

I recommend asking questions about ISE in the Identity Services Engine (ISE) group unless you are asking about APIs which is more appropriate for DevNet.

Re: wireless Authentication problem in ISE version 2.0.0.306

mostafashoaei — Tue, 07 Mar 2017 05:40:13 GMT

Hi dear Thomas

I've checked certificate, Certificate of ISE signed by my domain.

I've imported root CA of domain on the client as trusted certificate.

note: I have another ISE(2.2) with same config, it works fine without any problem, but I have issue in this version.

I asked this question on Identity services engine (ISE) now. https://communities.cisco.com/message/248335#248335

thanks a lot for your answer.