topic I know that this thread is in Network Access Control

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

bmwstoof1 — Mon, 11 Mar 2019 05:10:36 GMT

Hi guys,

I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.

I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

So the client is not liking

nspasov — Thu, 13 Nov 2014 16:10:25 GMT

So the client is not liking something about the certificate/certificate setup. Can you tell us:

1. What version and patch of ISE you are running

2. What type of authentication you are trying to do (PEAP, EAP-TLS, etc)

Thank you for rating helpful posts!

Refer the link for

mohanak — Thu, 13 Nov 2014 17:10:37 GMT

Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

Hi Neno, I am running V1.2.0

bmwstoof1 — Tue, 18 Nov 2014 08:35:02 GMT

Hi Neno,

I am running V1.2.0.899

any advice ? thanks in advance

I checked it, but what is

bmwstoof1 — Tue, 18 Nov 2014 08:36:54 GMT

I checked it, but what is described as solution has already been done in my case the issue is still there.

Can you post screenshots of

nspasov — Tue, 18 Nov 2014 17:10:12 GMT

Can you post screenshots of of the supplicants configuration screens?

I know that this thread is

nspasov — Sat, 20 Feb 2016 05:00:19 GMT

I know that this thread is old but were you able to resolve this issue?

I was getting today the same

ajc — Wed, 24 Aug 2016 19:28:35 GMT

I was getting today the same ISE authentication error when connecting Blackberry devices into the WiFi using EAP-TLS for which I have an Entrust signed cert installed on ISE running both services PEAP + EAP-TLS.

After multiple troubleshooting we found the following:

-The Entrust L1K intermediate cert (part of the ISE Cert chain) is not included into the BB, IPAD, Android, Win, etc CA Trusted list that comes by default with their respective OS.

-The Entrust Root CA G2 that comes with the Blackberry OS looks like it was corrupted.

Solution

Using BB BES 12 we created a profile and pushed the Entrust L1K Cert into the BB Device Internal CA Trusted List (added it) and overwrote the Entrust G2 as well.

When I initially added the L1K and tested it, I was still getting the error message on ISE so I found the following link that gave me the idea to overwrite the default Entrust Root CA G2.

http://support.blackberry.com/kb/articleDetail?ArticleNumber=000036357