cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

118
Views
10
Helpful
1
Replies
Highlighted
Beginner

EAP Authentication - 3rd party Certificate

Recently I replaced the Certificate for EAP Authentication on our Corporate Wireless ISE deployment with a like for like Certificate with a new expiration date. The Certificate has the Intermediate and Root listed in the Certification path, the issue I'm having is the new cert like the old one is SHA256, the intermediate and root are both showing as SHA384 which 99% of the clients are working fine but I have a handful that worked previously and are no longer able to connect.

 

In ISE I see the error: 12321 : PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

on the medical device we did a packet capture which shows ISE sending the certificate with the full chain which the device doesn't like and sends: Alert (level: Fatal, Description: Bad Certificate ) packet.

 

Does ISE always send the EAP cert with the full chain or is there any way to strip out the chain? The vendor is saying their devices aren't able to use SHA384 and the issue is with the intermediate and root. I'd rather not replace the EAP Authentication cert again if possible.

 

Thanks for any help that is provided.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: EAP Authentication - 3rd party Certificate

Coming straight to the point : There is no provision to limit ISE from not sending the entire chain and ISE does provide the entire chain.

View solution in original post

1 REPLY 1
Cisco Employee

Re: EAP Authentication - 3rd party Certificate

Coming straight to the point : There is no provision to limit ISE from not sending the entire chain and ISE does provide the entire chain.

View solution in original post