topic Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth in Network Security

ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth cert

MMR16 — Tue, 24 Sep 2024 23:49:16 GMT

Recently we renewed Public CA certificate from Entrust to DigiCert for ISE system EAP Authentication, and since then, devices have been failing to authenticate via EAP-TLS. These devices obtain endpoint certificates through the BYOD portal. This is happening for EAP-TLS auth only for those devices that got Endpoint Cert from ISE internal CA via BYOD onboarding portal, not for PEAP-MSCHAPv2. We use ISE system EAP Authentication certs only for Auth purpose, there is another wildcard Digicert for Admin/portal/Radius DTLS that we renewed last week, Before it was issued from Entrust, this year we changed to Digicert. That is working perfectly. But This week when we changed EAp Auth Cert, problem started at same time after renew to renew CA cert.

I had a look at certs pack issued by ISE, saw it is pushing all ISE internal CA chains plus Entrust Root CA-G2. I think Root CA-G2 is causing issue. As soon as we changed to DigiCert, endpoint started failing as it doesn't have DigiCert chain in its store.

All fails are showing this log,12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate.

Please help to me get rid of this issue. we have hundreds of iPad devices online by this way, it is huge impact on business. We had to roll back to Entrust, it has just below 3 wks to expiry.

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

MHM Cisco World — Wed, 25 Sep 2024 11:19:55 GMT

Are CA chain is known by user ?

MHM

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

MMR16 — Wed, 25 Sep 2024 11:49:56 GMT

CA Chain must be known by user as it was issued from ISE internal CA, was working as usual. After roll back, again started working. Question is then what causing issue after EAP Auth cert renewal to DigiCert

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

Aref Alsouqi — Wed, 25 Sep 2024 13:55:43 GMT

The clients need to trust the certificate issuer of the certificate that ISE presents for EAP authentication. By default the endpoints would trust any of the large certificates providers, however, the issue in your case could be caused by the supplicant profile configuration that was pushed to endpoints. For instance, if the pushed provide via GPO has Entrust certificate selected from the Trusted Root Certification Authorities to be trusted then you would need to adjust that profile by selecting DigiCert certificate.

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

MMR16 — Thu, 26 Sep 2024 03:45:18 GMT

Hi Aref,

Thanks for replying, we dont manage those device, they are BYOD. onboarding via BYOD portal. Client provisioning policies are pushing native supplicant profile where we push wifi profile and ISE internal Cert template. Not any EAP Auth cert

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

Aref Alsouqi — Thu, 26 Sep 2024 08:47:02 GMT

What settings do you push in the WiFi profile?

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

MMR16 — Thu, 26 Sep 2024 11:32:10 GMT

Just SSID Name, WPA2, Allowed Protocol as TLS and ISE Internal CA Cert Template

Re: ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth

Aref Alsouqi — Fri, 27 Sep 2024 12:01:03 GMT

Then I think for some reason those BYOD devices are not trusting ISE DigiCert certificate that will be presented by ISE during the EAP negotiation. I'm not sure if replacing that DigiCert cert with a self-signed cert issued by ISE would work, I'm just thinking if these BYOD devices get their certs by ISE internal CA, maybe they will trust ISE self-signed cert during EAP negotiation?