cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

219
Views
0
Helpful
3
Replies
Beginner

Microsoft RRAS + ISE

I'm trying to get RRAS to use ISE instead of NPS for VPN authentication. When I define the ISE server as the radius host in RRAS, the VPN connection won't come up on the client.

The ISE logs show the following:

Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

The ISE certificate is issued by Digicert and the intermediate and root certs are both in the cert store on the client.

Any guidance on getting RRAS and ISE to work together?

Thanks.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Microsoft RRAS + ISE

Some screenshot of the settings and additional information about the setup would help. But, since you are getting that error, I assume the RRAS and the client is using PPP-EAP, and either PEAP or EAP-TTLS EAP type. Having the Digicert root/intermediate in the client certificate store is not enough. You need to make sure the client authentication setting for VPN is configured to trust the Digicert root certificate for EAP purpose. You can do so by logging on to client Windows machine and go to its Network Connections. Find the VPN connection and click on its properties -> Security tab. Then under ‘Authentication’ click Properties and make sure the proper root CA is checked and the server names rule works with the ISE certificate. Showing here is example of PEAP:

Screen Shot 2018-09-30 at 12.59.22 AM.png

 

If the connection still fails with the same issue, temporarily change the setting above to notify the user if certificate doesn’t match. By doing so you will see what certificate is being presented during connection and confirm proper server certificate is being presented by ISE or not. It will reveal SHA1 hashed fingerprint which you can compare on ISE.

 

You can check the ISE EAP certificate by logging on to ISE GUI, then go to Administration -> System -> Certificates. Then on the left hand side, click Certificate Management -> System Certificates. Check to see which certificate is showing ‘Used By’ EAP. Click on the checkbox for the certificate and click on ‘View’ which reveals the Certificate Hierarchy and the SHA1 fingerprint. Make sure ISE can visualize the path between EAP certificate and the root CA and the fingerprint matches what client is seeing. If the path is incomplete, make sure to get the root CA and any intermediate certificate from Digicert and install them in to the ISE Trusted Certificate store. This will allow ISE to present proper certificate chain to the client during authentication.

3 REPLIES 3
Highlighted
Contributor

Re: Microsoft RRAS + ISE

Certificate is irrelevant in case of remote access RADIUS. Please provide the full log message and make sure the authentication rule is matched. (Authentication rule may not match if PAP is not checked under Allowed Protocols.)

Cisco Employee

Re: Microsoft RRAS + ISE

Some screenshot of the settings and additional information about the setup would help. But, since you are getting that error, I assume the RRAS and the client is using PPP-EAP, and either PEAP or EAP-TTLS EAP type. Having the Digicert root/intermediate in the client certificate store is not enough. You need to make sure the client authentication setting for VPN is configured to trust the Digicert root certificate for EAP purpose. You can do so by logging on to client Windows machine and go to its Network Connections. Find the VPN connection and click on its properties -> Security tab. Then under ‘Authentication’ click Properties and make sure the proper root CA is checked and the server names rule works with the ISE certificate. Showing here is example of PEAP:

Screen Shot 2018-09-30 at 12.59.22 AM.png

 

If the connection still fails with the same issue, temporarily change the setting above to notify the user if certificate doesn’t match. By doing so you will see what certificate is being presented during connection and confirm proper server certificate is being presented by ISE or not. It will reveal SHA1 hashed fingerprint which you can compare on ISE.

 

You can check the ISE EAP certificate by logging on to ISE GUI, then go to Administration -> System -> Certificates. Then on the left hand side, click Certificate Management -> System Certificates. Check to see which certificate is showing ‘Used By’ EAP. Click on the checkbox for the certificate and click on ‘View’ which reveals the Certificate Hierarchy and the SHA1 fingerprint. Make sure ISE can visualize the path between EAP certificate and the root CA and the fingerprint matches what client is seeing. If the path is incomplete, make sure to get the root CA and any intermediate certificate from Digicert and install them in to the ISE Trusted Certificate store. This will allow ISE to present proper certificate chain to the client during authentication.

Beginner

Re: Microsoft RRAS + ISE

Adding Digicert to the trusted root authorities did take care of it. I had been doing some testing using only my internal CA and forgot that I needed to add the public root CAs also.

Thanks!