https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167256#M563328 <P>hello cisco community,</P><P>I have problem in eap tls and I searching the log in every device to solve the problem.</P><P>when I look to wlc, wlc generate log like this :</P><P><EM>RADIUS server 10.175.4.71:1812 failed to respond to request (ID 79) for client f8:94:c2:1a:22:a5 / user 'bbb@aaa.com'</EM></P><P>&nbsp;</P><P>and in ISE generate some log, but there is significant log that I think the problem :</P><P><EM>34151 WARN System-Management: Certificate Validation Failed, ConfigVersionId=109, AdminName=Unknown, OperationMessageText=Certificate Validation failed for host:ise.aaa.com, AcsInstance=ise.aaa.com,</EM></P><P>&nbsp;</P><P>and my question are :</P><P>1. is there any chance the eap-tls not success because certificate in ise (like log said, certificate validation is failed)??</P><P>2. I dont see any explanation about that log. would somebody care to explain what I must to do for fixing the log in ISE.</P><P>&nbsp;</P><P>Thank you very much.</P> Thu, 15 Oct 2020 06:48:28 GMT Abreey 2020-10-15T06:48:28Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167256#M563328 <P>hello cisco community,</P><P>I have problem in eap tls and I searching the log in every device to solve the problem.</P><P>when I look to wlc, wlc generate log like this :</P><P><EM>RADIUS server 10.175.4.71:1812 failed to respond to request (ID 79) for client f8:94:c2:1a:22:a5 / user 'bbb@aaa.com'</EM></P><P>&nbsp;</P><P>and in ISE generate some log, but there is significant log that I think the problem :</P><P><EM>34151 WARN System-Management: Certificate Validation Failed, ConfigVersionId=109, AdminName=Unknown, OperationMessageText=Certificate Validation failed for host:ise.aaa.com, AcsInstance=ise.aaa.com,</EM></P><P>&nbsp;</P><P>and my question are :</P><P>1. is there any chance the eap-tls not success because certificate in ise (like log said, certificate validation is failed)??</P><P>2. I dont see any explanation about that log. would somebody care to explain what I must to do for fixing the log in ISE.</P><P>&nbsp;</P><P>Thank you very much.</P> Thu, 15 Oct 2020 06:48:28 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167256#M563328 Abreey 2020-10-15T06:48:28Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167415#M563337 <P>hi</P><P>what do u have in authentication details for this endpoint? can u see 12321 "failed SSL/TLS"?</P> Thu, 15 Oct 2020 11:15:23 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167415#M563337 Andrii Oliinyk 2020-10-15T11:15:23Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167455#M563339 <P>thank you andy for respon,</P><P>there is no 12321 "failed SSL/TLS" in ise log.</P><P>like picture below, only code 5440 endpoint abandoned EAP session and started new.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eaptls-community cisco.png" style="width: 864px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86029iFCA815E192F837B8/image-size/large?v=v2&amp;px=999" role="button" title="eaptls-community cisco.png" alt="eaptls-community cisco.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eap-tls handshake-community cisco.jpg" style="width: 453px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86030i9CBB34B039936560/image-size/large?v=v2&amp;px=999" role="button" title="eap-tls handshake-community cisco.jpg" alt="eap-tls handshake-community cisco.jpg" /></span></P><P>I did tcpdump in ISE interface and there is no step 7 to 10 (like picture below) at my pcap file.</P><P>&nbsp;</P> Thu, 15 Oct 2020 11:50:59 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167455#M563339 Abreey 2020-10-15T11:50:59Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167653#M563348 <P>How the endpoint's NIC is configured for dot1x?</P> Thu, 15 Oct 2020 15:58:13 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167653#M563348 Aref Alsouqi 2020-10-15T15:58:13Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167889#M563356 <P>Hi Aref, thank you for reply,</P><P>&nbsp;</P><P>like picture below, I configured endpoint nic using certificate's user. certificate's user deploy using GPO auto enroll and signed using ENT-CA. ENT-CA and ROOT-CA already in trusted certificates at ISE and endpoint.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="certificated-cisco community.PNG" style="width: 516px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86092iF55DB55785ECADF4/image-size/large?v=v2&amp;px=999" role="button" title="certificated-cisco community.PNG" alt="certificated-cisco community.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="wifi_801x-user authentication.PNG" style="width: 436px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86090i2CDCA130CA712429/image-size/large?v=v2&amp;px=999" role="button" title="wifi_801x-user authentication.PNG" alt="wifi_801x-user authentication.PNG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="wifi_configuration-cisco community.PNG" style="width: 439px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/86091iBCEF5399F088844F/image-size/large?v=v2&amp;px=999" role="button" title="wifi_configuration-cisco community.PNG" alt="wifi_configuration-cisco community.PNG" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 16 Oct 2020 01:04:20 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167889#M563356 Abreey 2020-10-16T01:04:20Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167892#M563358 <P>If the client supplicant is not sending its certificate chain in response to the server (ISE) certificate, it is likely not trusting the ISE EAP cert and terminating the EAP connection.</P> <P>I would suggest reviewing the following documents and comparing to your environment:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html" target="_blank" rel="noopener">Understand and configure EAP-TLS using WLC and ISE</A>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html#anc27" target="_blank" rel="noopener">Configure EAP-TLS Authentication with ISE - Common Issues and Techniques to Troubleshoot</A>&nbsp;</P> <P>There is also a similar Community post <A href="https://community.cisco.com/t5/network-access-control/5440-endpoint-abandoned-eap-session-and-started-new/td-p/4095569" target="_blank" rel="noopener">here</A> that might provide some guidance. These certificate issues can be tricky to troubleshoot without experience, so you might need to open a TAC case to investigate further.</P> Fri, 16 Oct 2020 01:14:31 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4167892#M563358 Greg Gibbs 2020-10-16T01:14:31Z https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4170024#M563417 <P>Thank you Greg for the answer.</P><P>I will call TAC soon for investigate the wlc one. because I create lab with same ise and key chain in wired 802.1x environment it works like a charms.</P><P>&nbsp;</P><P>Thank you so much!</P> Tue, 20 Oct 2020 06:53:46 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-validation-failed-in-log/m-p/4170024#M563417 Abreey 2020-10-20T06:53:46Z