EAP-TLS handshake fail - peer did not return a certificate

drr — Mon, 17 Mar 2025 09:08:19 GMT

Hi team,

We've run into a strange problem we've never encountered before.

We have deployed machine certificates from a Microsoft CA which we use for 802.1X auth.
ISE system certificate for EAP auth is self-signed, and deployed as trusted on the client.
The clients issuer certificated is installed as trusted in ISE.

When testing out the authentication on the Windows client we get the following errors:

Event	5400 Authentication failed
Failure Reason	12508 EAP-TLS handshake failed
Resolution	Check whether the proper server certificate is installed and configured for EAP in the System Certificates page ( Administration > System > Certificates > System Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Similarly, verify that the certificate authority that signed the client's certificate is correctly installed in the Trusted Certificates page (Administration > System > Certificates > Trusted Certificates). Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the authentication failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause	EAP-TLS handshake failed.

OpenSSLErrorMessage

SSL alert: code=0x228=552 ; source=local ; type=fatal ; message="handshake failure.ssl/statem/statem_srvr.c:3787 error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate [error=337100999 lib=20 func=380 reason=199]"

OpenSSLErrorStack

140691845297920:error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:ssl/statem/statem_srvr.c:3787:

Re: EAP-TLS handshake fail - peer did not return a certificate

PSM — Mon, 17 Mar 2025 12:42:05 GMT

@drr check if client is having valid machine certificate. If certificate is there ensure supplicant is configured to use correct certificate.

Re: EAP-TLS handshake fail - peer did not return a certificate

drr — Mon, 17 Mar 2025 13:50:53 GMT

Hi and thanks for the help.

We found the issue and it was related to the certificate having weak hashing algorithm (SHA1). It wasn't easy to find since the logging didn't tell anything about it, but eventually we fixed it.

topic Re: EAP-TLS handshake fail - peer did not return a certificate in Network Access Control

EAP-TLS handshake fail - peer did not return a certificate

Re: EAP-TLS handshake fail - peer did not return a certificate

Re: EAP-TLS handshake fail - peer did not return a certificate