https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048326#M229625 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P>I will most likey go with 3rd party cert, go daddy is supported by IOS (given the link you provided).</P><P>I will only need one cert for the primary fqdn node right?</P></BODY></HTML> Thu, 23 Aug 2012 19:51:13 GMT edondurguti 2012-08-23T19:51:13Z https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048322#M229276 <P>Hi</P><P>I'm rolling out! <SPAN __jive_emoticon_name="silly" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/silly.gif"></SPAN></P><P>I have seen couple of people with win7 cannot authenticate to ISE:</P><P><STRONG style="color: #ff0000; ">12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate</STRONG></P><P></P><P>I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.</P><P>I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?</P><P></P><P>OR:</P><P></P><P>If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.</P><P>I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.</P><P></P><P>Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?</P><P><BR />Thanks.</P> Mon, 11 Mar 2019 02:27:13 GMT https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048322#M229276 edondurguti 2019-03-11T02:27:13Z https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048323#M229298 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If the clients are your domain users, i would suggest using autoenrollment or a GPO to push out your internal root CA if you have a PKI environment.</P><P></P><P>If you dont have one it is pretty simple and forward to setup. There are plenty of technet documentation that will walk you through it.</P><P></P><P>thanks,</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 23 Aug 2012 05:05:39 GMT https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048323#M229298 Tarik Admani 2012-08-23T05:05:39Z https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048324#M229362 <HTML><HEAD></HEAD><BODY><P>I dont have one and the situation is where i cant get one. Would Leap be a problem. Would 3rd party certs solve the problem. Cuz my company doesnt want a ca server and i will not try to convince them lol</P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 23 Aug 2012 05:15:18 GMT https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048324#M229362 edondurguti 2012-08-23T05:15:18Z https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048325#M229507 <HTML><HEAD></HEAD><BODY><P>Leap will not support machine authentication if you decide to go that route. It would be best to use a 3rd party cert, if you plan on using BYOD then use the IOS release notes from apple to see which root CA comes pre installed:</P><P></P><P><A class="jive-link-external-small" href="http://support.apple.com/kb/HT5012">http://support.apple.com/kb/HT5012</A></P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 23 Aug 2012 17:58:21 GMT https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048325#M229507 Tarik Admani 2012-08-23T17:58:21Z https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048326#M229625 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P>I will most likey go with 3rd party cert, go daddy is supported by IOS (given the link you provided).</P><P>I will only need one cert for the primary fqdn node right?</P></BODY></HTML> Thu, 23 Aug 2012 19:51:13 GMT https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048326#M229625 edondurguti 2012-08-23T19:51:13Z https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048327#M229734 <HTML><HEAD></HEAD><BODY><P>There is a bug in ISE that doesnt allow you to use the same certificate for the eap interface (since you can designate which cert you want for either https or eap). You should be able to present the same cert for eap purposes across your radius servers. In the end you will need a cert for each of your policy service nodes.</P><P></P><P>Tried to find the bug (but the toolkit isnt working for me).</P><P></P><P>Thanks,</P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 23 Aug 2012 21:41:14 GMT https://community.cisco.com/t5/network-access-control/ise-peap/m-p/2048327#M229734 Tarik Admani 2012-08-23T21:41:14Z