topic What supplicant are you using in Network Access Control

ISE

Sudhir Yadav — Mon, 11 Mar 2019 07:20:11 GMT

Hi,

I have deployed ISE version 2.0.0.306 nodelist.version.label.patch in which we are receiving one error related to one node as :

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

So please suggest what is the way out for it.

Sudhir

What supplicant are you using

Rahul Govindan — Fri, 06 Jan 2017 12:49:23 GMT

What supplicant are you using for your PEAP session? Windows Native or Anyconnect? You would have ti uncheck validate server certificate option on both if the ISE is presenting a self-signed cert or a certificate not trusted by the client. If only one client is receiving this message and everyone else works ok, I would check the client certificate store to see if the CA cert of CA issuing the ISE cert is present in the "Trusted Root Certificate Authority" Store.

Rahul first of all Thanks for

Sudhir Yadav — Tue, 10 Jan 2017 06:03:18 GMT

Rahul first of all Thanks for your comments..

we are using windows native as we have around 350 windows machines but 3-4 machines are giving this kind of error so let me check the certificates of those nodes.

But one confusion how will i come to know that ISE cert is present or not.

Sudhir If you are using IE

Ravi Singh — Tue, 10 Jan 2017 08:06:23 GMT

Sudhir If you are using IE then go to Internet Option->Content->Certificates->Trusted Root Certificate Authority and look for Certificate issued by ISE.

You can look for user

Rahul Govindan — Tue, 10 Jan 2017 13:03:46 GMT

You can look for user certificates as Ravi mentioned above. I would also look at the following for local machine certificate store:

1) Open Run and type "mmc". This will open Microsoft Management Console.

2) File > Add remove Snap-in.

3) Choose certificates > Choose local computer account.

4) Check for ISE EAP cert under trusted root Authorities of computer account.