cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the new Identity Services Engine (ISE) Community!

Choose one of the topics below to help you on your journey with ISE

 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

 

188
Views
0
Helpful
8
Replies
Cisco Employee

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi Experts,

  1. Using windowns 802.1x suppliant in Cisco switch and Cisco wireless scenario. It works fine.
  2. Using Anyconnect NAM, it can work in Wireless scenario but failed in wired scenario.
  3. Using Anyconnect NAM with Cisco switch. User CAN NOT  login. ISE log said “12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate“.  no any invalide certificate waring message popped up.

ISE version is 2.3.0.298 , anyconnect version is 4.6.01098 pre-deploy package and we tried 4.5.05030. We tried in two win7 and one win10, same issue.

Any suggestion will be very appreciated!

Thanks

DL

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

8 REPLIES
Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Adding to Nidhi... please check whether the option enabled [ V ] Validate Server Identity

Screen Shot 2018-06-13 at 7.26.32 PM.png

Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi hslai,

   I created a NAM.xml profile for anyconnect . It should put in %ProgramData%\Cisco\
Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles, right? And what name should it change to for AnyConnect can recognize and use it?

BR,

Alex

Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

You will have to rename it to configuration.xml and put it in c:/program data/cisco/cisco Anyconect secure mobility client/network access manager  . and reinitialize the connection.

Thanks,

Nidhi

Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Forgot to mention that Program data should be a hidden folder . So please change the settings to view the advance folder .

Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

With %programdata% in the address bar of the windows explorer would also take us there.

Screen Shot 2018-06-14 at 8.40.46 AM.png

Beginner

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi hslai
I am having same issue and same error message. ISE 2.3.0298 with our internal MS PKI cert. Do you mind advise how did you fix it? Best regards. Richard
Beginner

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hello Nidihi

I am having same issue and error message.

My client configuration file on Win7 is one more sub-folder:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network
Access Manager\system\configuration.xml

Is the above path correct?

BTW, the sub-folder \newConfigFiles is empty.

Please advise which folder the client configuration file should be. 

Thanks.

 

Richard

CreatePlease to create content
Ask the Expert- Firepower configuration & troubleshooting