topic Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct? in Network Access Control

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

shoaibkhan — Mon, 11 Mar 2019 01:59:14 GMT

In a distributed ISE deployment with regional intermediate CA, I am getting failed authentication due to " EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain". Client device have only one client certificate issued from regional intermediate CA. When client device goes across the region, they can't authenticate and gets this "unknown” CA error. The admin node has certificates of all intermediate CAs and root CA.

One possible solution is to add intermediate CA certificates to all regional Node groups but apparently it is not possible on ISE policy nodes.

Have a look at the diagram below and let me know you think (Client authentication failure at both location 1 and 3).

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

jan.nielsen — Tue, 24 Apr 2012 21:00:55 GMT

I think the problem is more related to your clients, have you configured all the pc's to trust at least the root ca and the ca that ise has gotten it's certificate from ?

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

shoaibkhan — Sun, 29 Apr 2012 22:25:31 GMT

Thanks Jan for your reply. I have aised this to cisco TAC and the have checked all ISE config and client configs. they didn't found any configuration error. Cisco TAC has no answer to this problem yet!

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

jan.nielsen — Tue, 01 May 2012 10:01:07 GMT

Have you installed ALL intermidiate CA certs on all your PSN's in every region ?

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

shoaibkhan — Tue, 01 May 2012 10:17:39 GMT

Thanks Jan for reply. And short answer is Yes ....

we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.

It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.

In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.

So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence.

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

guardian-de — Tue, 26 Jun 2012 08:22:27 GMT

Hi ... I think i have the same problem. Could you explain what exactly the problem is comparing the certificates ? How was it fixed - didn't get that part 😉

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Stephen McBride — Mon, 15 Oct 2012 22:28:04 GMT

Hi just wanting to clarify here that you are essentially utilising multiple issuing CAs on the one ISE deployment? If this is the case how is it configured in that I cannot seem to have multiple certs been trusted for EAP?

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

jan.nielsen — Tue, 20 Nov 2012 21:10:42 GMT

Stephen,

You can have as many sub-ca's or root ca's certificates in ISE as you like, and use them to validate and crl check users certs with, however the cert that ise presents to the clients during any kind of EAP negotiation, can only be one specific, which means for EAP-TLS & PEAP, you will need to have that specific root/subca cert installed on all your clients, and trust it in your supplicant settings.