Accepted Solutions
Some screenshot of the settings and additional information about the setup would help. But, since you are getting that error, I assume the RRAS and the client is using PPP-EAP, and either PEAP or EAP-TTLS EAP type. Having the Digicert root/intermediate in the client certificate store is not enough. You need to make sure the client authentication setting for VPN is configured to trust the Digicert root certificate for EAP purpose. You can do so by logging on to client Windows machine and go to its Network Connections. Find the VPN connection and click on its properties -> Security tab. Then under ‘Authentication’ click Properties and make sure the proper root CA is checked and the server names rule works with the ISE certificate. Showing here is example of PEAP:
If the connection still fails with the same issue, temporarily change the setting above to notify the user if certificate doesn’t match. By doing so you will see what certificate is being presented during connection and confirm proper server certificate is being presented by ISE or not. It will reveal SHA1 hashed fingerprint which you can compare on ISE.
You can check the ISE EAP certificate by logging on to ISE GUI, then go to Administration -> System -> Certificates. Then on the left hand side, click Certificate Management -> System Certificates. Check to see which certificate is showing ‘Used By’ EAP. Click on the checkbox for the certificate and click on ‘View’ which reveals the Certificate Hierarchy and the SHA1 fingerprint. Make sure ISE can visualize the path between EAP certificate and the root CA and the fingerprint matches what client is seeing. If the path is incomplete, make sure to get the root CA and any intermediate certificate from Digicert and install them in to the ISE Trusted Certificate store. This will allow ISE to present proper certificate chain to the client during authentication.
Some screenshot of the settings and additional information about the setup would help. But, since you are getting that error, I assume the RRAS and the client is using PPP-EAP, and either PEAP or EAP-TTLS EAP type. Having the Digicert root/intermediate in the client certificate store is not enough. You need to make sure the client authentication setting for VPN is configured to trust the Digicert root certificate for EAP purpose. You can do so by logging on to client Windows machine and go to its Network Connections. Find the VPN connection and click on its properties -> Security tab. Then under ‘Authentication’ click Properties and make sure the proper root CA is checked and the server names rule works with the ISE certificate. Showing here is example of PEAP:
If the connection still fails with the same issue, temporarily change the setting above to notify the user if certificate doesn’t match. By doing so you will see what certificate is being presented during connection and confirm proper server certificate is being presented by ISE or not. It will reveal SHA1 hashed fingerprint which you can compare on ISE.
You can check the ISE EAP certificate by logging on to ISE GUI, then go to Administration -> System -> Certificates. Then on the left hand side, click Certificate Management -> System Certificates. Check to see which certificate is showing ‘Used By’ EAP. Click on the checkbox for the certificate and click on ‘View’ which reveals the Certificate Hierarchy and the SHA1 fingerprint. Make sure ISE can visualize the path between EAP certificate and the root CA and the fingerprint matches what client is seeing. If the path is incomplete, make sure to get the root CA and any intermediate certificate from Digicert and install them in to the ISE Trusted Certificate store. This will allow ISE to present proper certificate chain to the client during authentication.
