topic Re: ISE Problem: EAP-TLS failed SSL/TLS handshake because of an in Network Access Control

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

jrodriguez — Mon, 11 Mar 2019 03:27:55 GMT

Hello, I´m stucked with this problem for 3 weeks now.

I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.

Thank you
Jorge

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unkn

Richard Atkin — Tue, 28 May 2013 21:16:09 GMT

What CA are you using and how many intermediate certs are in the chain?

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unkn

vinupeter_19 — Wed, 29 May 2013 05:37:48 GMT

Hi Rik,

the Below are the certificate details

ISE Certificate Signed by XX-CA-PROC-06

User PKI Signed by XX-CA-OTHER-08

In ISE certificate Store i have the below certificates

XX-CA-OTHER-08 signed by XX-CA-ROOT-04

XX-CA-PROC-06 signed by XX-CA-ROOT-04

XX-CA-ROOT-04 signed by XX-CA-ROOT-04

ISE certificate signed by XX-CA-PROC-06

I have enabled - 'Trust for client authentication' on all three certificates

this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'

when i check the certificates of current user in the Client PC this is how it shows.

XX-CA-ROOT-04 is listed in Trusted root Certification Authority

and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unkn

Richard Atkin — Wed, 29 May 2013 06:33:40 GMT

I'm not sure about ISE, but other Cisco WLAN products have a limitation whereby they only support one intermediate cert, could be something like that? Do you have access to an alternative PKI that has a shorter chain that you can use for testing?

Re: ISE Problem: EAP-TLS failed SSL/TLS handshake because of an

jrodriguez — Wed, 29 May 2013 07:12:40 GMT

Thank for your answer RikJonAtk,

As you have guessed, my certificate chain has a Root, then a Policy, then a Issuing and at last the certificate. I´ve tested with a 2 level PKI (root and Issuing) and the result was similar.

The same certificate with the same 3 tier structure works in a ACS server for a Laptop but not for an iPad.

------------------------- Edit-----

Ok, no problem with the ipad neither. It needs ro reset the network settings. So there is no problem to authenticate clients with ACS and a 3 tier PKI structure but the same certificates doesn´t works in ISE.

Re: ISE Problem: EAP-TLS failed SSL/TLS handshake because of an

jrodriguez — Mon, 10 Jun 2013 07:53:02 GMT

Ok, I´ve open a TAC because a possible bug in 1.1.4 version.

One of the symtoms is this: When I try to export a certificate from the "local Certificates" the service application ISE is reloaded (you could see form the console).

This bug should not affect in the primary problem, the EAP-TLS authentication, maybe the 3 tier certificate chain is the problem.

ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unkn

Brian McPhillips — Wed, 21 Aug 2013 14:24:34 GMT

hi Jorge,

Did you get anything back from Cisco on this? I have ran into a similiar issue. it would be interesting to know if this is a bug or misconifg on my side!

Thanks

Brian

Re: ISE Problem: EAP-TLS failed SSL/TLS handshake because of an

Tarik Admani — Thu, 22 Aug 2013 06:36:02 GMT

I ran into an issue today where my client machines had multiple certificates with the same CN, even through we lined up the certs that were installed on the client by validate serial numbers. We ran a packet capture for the radius transaction and found that the client was sending a different intermediate and root then what was used in the chain for the client cert.....really strange and odd but this in our case wasnt an ise issue.

Make sure you can go through the certificate settings on the client and validate that there arent any duplicate certs with the same CN that are present in the client's chain.

Sent from Cisco Technical Support iPad App

Re: ISE Problem: EAP-TLS failed SSL/TLS handshake because of an

jrodriguez — Wed, 02 Oct 2013 07:42:32 GMT

Sorry for the delay in the answer.

It took 2 months to Cisco TAC to solve the problem. At the end there were a bug with the version 1.1.4. When I tried to export the certificate The GUI restarts it self.

But the real problem was the conversion of the certificate form .pfx to .pem . It seems that the version of the OpenSSL wasn´t works properly. The good one (for me) is the version 0.9.8k.

It was a wierd problem because the same certificate that works with an ACS server wasn´t works with the ISE.

Hope this helps.

I know this is an old thread

nspasov — Thu, 28 Jan 2016 00:14:12 GMT

I know this is an old thread but do you happen to have the BUG ID? I have a client that just contacted me that is running ISE 1.1.4 and is having exactly the same issue.

Hi Neno,

Jatin Katyal — Thu, 28 Jan 2016 00:23:44 GMT

Hi Neno,

Are you talking about this defect:

CSCud00831 eap-tls authentications start failing after a while decrypt error

~ Jatin

No, the customer of mine that

nspasov — Thu, 28 Jan 2016 02:48:36 GMT

No, the customer of mine that I was helping is getting the exact same error that is in this thread:

EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

The strange part is that they are only getting this error when trying to authenticate clients with certificates from their new Certificate Authority. Clients that have certificates from the old certificates authority are working fine.

Here are the details:

ISE:

Version - 1.1.3 - Patch 8

EAP Certificate - Issued from the old Certificate Authority (CA-1)

Certificate Store - Has the Root Certificates from both the old certificate authority (CA-1) and from the new one (CA-2). Both of them are set to be trusted for client authentications.

Clients:

Version - Windows 7 - SP1

EAP Certificate - Issued from the new Certificate Authority (CA-2)

Certificate Store - Has both root certificates from the old (CA-1) and new (CA-1) certificate authorities.

The supplicant is set to trust both CAs

While doing a bug scrub I ran across this one that I think my customer might be facing:

https://tools.cisco.com/bugsearch/bug/CSCtq31131

I'd suggest to test windows

Jatin Katyal — Sun, 31 Jan 2016 17:46:40 GMT

I'd suggest to test windows client with:

1.] set supplicant to trust new CA only.

2.] Supplicant cert store should have client cert issues by a new CA only.

~ Jatin

I was doing a few tests today

ajc — Tue, 02 Aug 2016 22:27:22 GMT

I was doing a few tests today and I got the same error on ISE running 1.4.0.253 patch 6. The workaround suggested on the BUG = CSCtq31131 did not work.

During my tests I basically removed the CA certs from the Trusted Certificates List, and imported them back into ISE and after that, the EAP-TLS AUTHC did not work even though on each certificate I checked the box located at:

Trusted Certificates List --- > CA Certificate --- > USAGE --- > Trusted For: --- > Trust for authentication within ISE

AND save the changes. Once I did this for each Trusted cert (Root & Intermediate), I stopped and restarted the ISE Services with no luck.

Then I decided to start playing with the Certs individually and checked first the box: "TRUST for client authentication and Syslog" (sublevel of the path indicated above) for the Intermediate CA Cert of the chain (ISE Trusted Certificate list). Saved the changes and it did not work (I did not initialize the ISE Services).

Finally I repeated the same steps for the Root CA Cert of the chain, checked the sublevel box as mentioned in the previous paragraph and the EAP-TLS worked fine.

I will ask Cisco TAC and BU what is the difference between the "AUTHENTICATION WITHIN ISE" and the "FOR CLIENT AUTHENTICATION AND SYSLOG" boxes for EAP Authentication.

Re: I was doing a few tests today

o.adames — Thu, 25 Oct 2018 14:50:19 GMT

I had the same issue and resolved by editing the root certificate of the CA and choosing all options including client and syslog as mentioned by Camacho in the previous post.

Thanks, OA

Re: I was doing a few tests today

aravikumar — Wed, 07 Aug 2019 17:29:54 GMT

Hello,

Thanks for your response. we have a mdm onboarded iphone which is configured for EAP-TLS. we are getting this error even though the options you mentioned are enabled for CA.

we are getting this error "EAP-TLS failed SSL/TLS handshake after a client alert"

Thanks,

Aravind.