https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046693#M588277 <P>&nbsp;i would cross check again certs are correct they are in certificate store and end user also have certs</P> <P>also post complete log from ISE.</P> <P>&nbsp;</P> Thu, 21 Mar 2024 13:46:52 GMT balaji.bandi 2024-03-21T13:46:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046668#M588276 <P>I recently swapped the certificate in use for EAP, RADIUS and Admin on our ISE deployment, signed using our internal CA.&nbsp; &nbsp;This was carried out approx 36 hours ago , application was restarted on both nodes and everything has been working fine up until now.&nbsp; Then suddenly all the network clients on our LAN started failing to authenticate using Dot1X / EAP-TLS this morning.&nbsp; I don't understand, is there some kind of delay in the new certificate becoming active, why fail 36 hours later!?&nbsp; As far as I can see there is nothing wrong with the new certificates and internal CA root and sub certificates are all well in date.&nbsp;&nbsp;</P><P><SPAN>5400 Authentication failed</SPAN></P><P><SPAN>12508 EAP-TLS handshake failed</SPAN></P><P><SPAN>Has anybody hit something similar?</SPAN></P><P>&nbsp;</P> Thu, 21 Mar 2024 13:32:56 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046668#M588276 davemiddlewick 2024-03-21T13:32:56Z https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046693#M588277 <P>&nbsp;i would cross check again certs are correct they are in certificate store and end user also have certs</P> <P>also post complete log from ISE.</P> <P>&nbsp;</P> Thu, 21 Mar 2024 13:46:52 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046693#M588277 balaji.bandi 2024-03-21T13:46:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046751#M588278 <P>When you import a new cert on ISE and the services are restarted that cert is active and ready for use. If you are not hitting a bug the only thing comes to my mind would be related to any GPO policies that maybe have been pushed to the clients that changed the supplicant settings? or maybe you changed the security settings in ISE by removing some protocols that could be used by the clients such as TLS1.1 and SHA1? if not, I would raise this with Cisco TAC.</P> Thu, 21 Mar 2024 14:29:52 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046751#M588278 Aref Alsouqi 2024-03-21T14:29:52Z https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046756#M588279 <P>To troubleshoot EAP-TLS handshake failed you can perform packet capture on an authenticating client (as well as from the applicable PSN). Wireshark is quite good at showing you the steps in an EAP-TLS handshake and the error message in the decode usually pinpoints the failed parameter.</P> Thu, 21 Mar 2024 14:37:37 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-suddenly-started-rejecting-dot1x-eap-tls/m-p/5046756#M588279 Marvin Rhoads 2024-03-21T14:37:37Z