topic Re: Cisco ISE authentication failed because client reject certificat in Network Access Control

Cisco ISE authentication failed because client reject certificate

ratnapurnama — Mon, 11 Mar 2019 02:56:06 GMT

Hi Experts,

I am a newbie in ISE and having problem in my first step in authentication. Please help.

I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :

Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.

Regards,

Ratna

Cisco ISE authentication failed because client reject certificat

Tarik Admani — Thu, 03 Jan 2013 06:47:37 GMT

Hi,

The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

Thanks,

Tarik Admani
*Please rate helpful posts*

Cisco ISE authentication failed because client reject certificat

ratnapurnama — Thu, 03 Jan 2013 08:32:15 GMT

It works! Thanks a lot Tarik

Re: Cisco ISE authentication failed because client reject certif

Jaaazman777 — Tue, 26 Mar 2013 08:51:27 GMT

Hello!

We have the same problen in out BYOD deployment.

Is there any way to tell client to accept the root certificate without manual configuration of the wifi-profile?

The concept of BYOD suppose that you bring of your device without any preconfigured wifi-profiles and installed certificates.

Cisco ISE authentication failed because client reject certificat

bhthapa — Wed, 10 Apr 2013 17:51:01 GMT

This issue occurs with authentication protocols that require certificate validation.

Possible Authentications report failure reasons:

1.Authentication failed: 11514 Unexpectedly received empty TLS message;

treating as a rejection by the client”

2.Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because

the client rejected the Cisco ISE local-certificate”

The supplicant or client machine is not accepting the certificate from Cisco ISE. The client machine is configured to validate the server certificate, but is not. Need to configured to trust between the Cisco ISE certificate.

The client machine must accept the Cisco ISE certificate to enable authentication.

As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.

Possible Causes for this

Naveen Kumar — Fri, 11 Apr 2014 04:58:27 GMT

Possible Causes for this issue

The supplicant or client machine is not accepting the certificate from Cisco ISE.

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

Certificate-Based User

Venkatesh Attuluri — Mon, 02 Jun 2014 09:24:07 GMT

Certificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

Found similar problem and

vitorio.urashima — Fri, 29 Jul 2016 20:18:22 GMT

Found similar problem and after checking all suggestions here without success, I recreated the ISE certificate (LAB environment) and everything started to work as expected...

Re: Cisco ISE authentication failed because client reject certificat

coreycomputer — Thu, 01 Nov 2018 20:06:24 GMT

hey may i ask how you do that. I am digging into ISE and trying to do some deployments for my company.

Re: Cisco ISE authentication failed because client reject certificate

coreycomputer — Sat, 03 Nov 2018 19:53:31 GMT

actually the issue was i was using EAP-Fast and you got to use the NAM agent with anyconnect for it to work. Also you have to put the ISE certificate in the registry of pc for it to be trusted and work.