topic Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate in Network Access Control

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

yongwli — Wed, 13 Jun 2018 14:27:25 GMT

Hi Experts,

Using windowns 802.1x suppliant in Cisco switch and Cisco wireless scenario. It works fine.
Using Anyconnect NAM, it can work in Wireless scenario but failed in wired scenario.
Using Anyconnect NAM with Cisco switch. User CAN NOT login. ISE log said “12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate“. no any invalide certificate waring message popped up.

ISE version is 2.3.0.298 , anyconnect version is 4.6.01098 pre-deploy package and we tried 4.5.05030. We tried in two win7 and one win10, same issue.

Any suggestion will be very appreciated!

Thanks

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Nidhi — Wed, 13 Jun 2018 15:31:40 GMT

My initial analysis would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

hslai — Thu, 14 Jun 2018 02:28:36 GMT

Adding to Nidhi... please check whether the option enabled [ V ] Validate Server Identity

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

wenzeng — Thu, 14 Jun 2018 04:29:31 GMT

Hi hslai,

I created a NAM.xml profile for anyconnect . It should put in %ProgramData%\Cisco\ Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles, right? And what name should it change to for AnyConnect can recognize and use it?

BR,

Alex

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Nidhi — Thu, 14 Jun 2018 04:47:53 GMT

You will have to rename it to configuration.xml and put it in c:/program data/cisco/cisco Anyconect secure mobility client/network access manager . and reinitialize the connection.

Thanks,

Nidhi

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Nidhi — Thu, 14 Jun 2018 15:32:51 GMT

Forgot to mention that Program data should be a hidden folder . So please change the settings to view the advance folder .

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

hslai — Thu, 14 Jun 2018 15:42:05 GMT

With %programdata% in the address bar of the windows explorer would also take us there.

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Richard Lu — Mon, 13 Aug 2018 21:36:44 GMT

Hello Nidihi

I am having same issue and error message.

My client configuration file on Win7 is one more sub-folder:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network
Access Manager\system\configuration.xml

Is the above path correct?

BTW, the sub-folder \newConfigFiles is empty.

Please advise which folder the client configuration file should be.

Thanks.

Richard

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Richard Lu — Mon, 13 Aug 2018 21:46:46 GMT

Hi hslai
I am having same issue and same error message. ISE 2.3.0298 with our internal MS PKI cert. Do you mind advise how did you fix it? Best regards. Richard

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

yongwli — Mon, 03 Sep 2018 15:03:59 GMT

Creating a NAM profile and disable server validation in the profile.

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Ali mosbah Abdo — Wed, 11 Dec 2019 14:46:07 GMT

i had the same problem & exactly the same massage and when i disable server validation identity check box it works immediately and work fine.
Thanks alot