Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
10
Helpful
1
Replies

EAP Authentication - 3rd party Certificate

Go to solution
mitchp75
Level 1
Level 1

‎11-29-2018 02:04 PM

Recently I replaced the Certificate for EAP Authentication on our Corporate Wireless ISE deployment with a like for like Certificate with a new expiration date. The Certificate has the Intermediate and Root listed in the Certification path, the issue I'm having is the new cert like the old one is SHA256, the intermediate and root are both showing as SHA384 which 99% of the clients are working fine but I have a handful that worked previously and are no longer able to connect.

 

In ISE I see the error: 12321 : PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

on the medical device we did a packet capture which shows ISE sending the certificate with the full chain which the device doesn't like and sends: Alert (level: Fatal, Description: Bad Certificate ) packet.

 

Does ISE always send the EAP cert with the full chain or is there any way to strip out the chain? The vendor is saying their devices aren't able to use SHA384 and the issue is with the intermediate and root. I'd rather not replace the EAP Authentication cert again if possible.

 

Thanks for any help that is provided.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-03-2018 09:26 AM

Coming straight to the point : There is no provision to limit ISE from not sending the entire chain and ISE does provide the entire chain.

View solution in original post

1 Reply 1

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-03-2018 09:26 AM

Coming straight to the point : There is no provision to limit ISE from not sending the entire chain and ISE does provide the entire chain.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents