https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221227#M554351 <P>Looks like the ISE Certificate for EAP-TLS was not signed by your internal PKI and that's why it is rejected by the enduser device. You should have something like this on ISE primary PAN and PSN's.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CERT.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/3805i7BE327AA596F6288/image-size/large?v=v2&amp;px=999" role="button" title="CERT.png" alt="CERT.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 Nov 2017 19:56:54 GMT ajc 2017-11-22T19:56:54Z https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221108#M554345 <P>We are running ISE 2.1 patch 2 in a 4 node deployment, 2 PANs, 2 PSNs.</P> <P>&nbsp;</P> <P>We are trying to get EAP-TLS setup to authenticate our Windows wireless clients to our new wireless network,</P> <P>&nbsp;</P> <P>The ISE servers have our internal root CA and intermediate CA certs installed and trusted and user/machine certs are present on the client.</P> <P>&nbsp;</P> <P>When I client tries to connect to our test SSID, it fails, and I see this error in the Radius live log.</P> <P>&nbsp;</P> <P><SPAN>12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We have tried unchecking "validate server cert" on the client's wifi profile, but we get the same result.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Any ideas?? I have seen other posts here about similar problems but with different versions of ISE.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in advance.</SPAN></P> <P>&nbsp;</P> <P><SPAN>John</SPAN></P> Fri, 21 Feb 2020 18:39:58 GMT https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221108#M554345 N3t W0rK3r 2020-02-21T18:39:58Z https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221227#M554351 <P>Looks like the ISE Certificate for EAP-TLS was not signed by your internal PKI and that's why it is rejected by the enduser device. You should have something like this on ISE primary PAN and PSN's.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CERT.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/3805i7BE327AA596F6288/image-size/large?v=v2&amp;px=999" role="button" title="CERT.png" alt="CERT.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 Nov 2017 19:56:54 GMT https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221227#M554351 ajc 2017-11-22T19:56:54Z https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221229#M554355 <P>BTW, EAP-TLS is a 2 WAY CERTIFICATE VALIDATION, so you cannot disable on the enduser device profile the "VALIDATE SERVER CERTIFICATE".</P> Wed, 22 Nov 2017 19:59:02 GMT https://community.cisco.com/t5/network-access-control/12520-eap-tls-failed-ssl-tls-handshake-in-ise-2-1/m-p/3221229#M554355 ajc 2017-11-22T19:59:02Z