Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6755
Views
0
Helpful
8
Replies

PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

tiadmin11
Level 1
Level 1

‎04-02-2019 04:04 PM - edited ‎04-02-2019 04:12 PM

There are other posts and the accepted solution was to use a different cert server, but that doesn’t apply to us. Since it works 99% of the time.

 

We keep seeing this randomly. I’m lost on how to fix the issue. it resolves over time, but we really need a way to fix this when it happens. Other clients have zero issues connecting and again, it resolves itself over time. I would say it’s almost always Windows that has the issue.

0 Helpful
8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni

‎04-02-2019 08:46 PM

Hi

What eap certificate type is ISE presenting to people who are trying to connect? Is it a public cert, your internal pki or self signed?

These windows machines which have issues are they member of your domain or not?

This issue can't solve itself. It depends on how the client is configured. Do you know if people are changing their config in order to get finally authenticated? How is their config?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

tiadmin11
Level 1
Level 1
In response to Francesco Molino

‎04-03-2019 07:57 AM

Cert is self-signed from ISE.

The Machines are members of the domain.

Nobody is changing anything, it just eventually works.
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to tiadmin11

‎04-03-2019 08:40 PM

Are you pushing by gpo the supplicant configuration?
Do you have any machine right now having the issue? If so, push this ise certificate into their trusted certificate store and validate this solved the issue.
I would recommend, for all your domain machines, to push ise cert into their trusted cert store to avoid these issues.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

tiadmin11
Level 1
Level 1
In response to Francesco Molino

‎04-04-2019 05:48 AM

It is not being pushed by GPO. And the issue has already resolved itself, which leads me to believe that there must be a task on the PC that's fixing the issue.
0 Helpful

andrewswanson
Level 7
Level 7
In response to tiadmin11

‎04-04-2019 02:09 AM

Hi

Do the affected windows machines have the correct time/date when they reject the ISE certificate? If AD joined, they should sync time/date with AD using udp 123 - is this port open for unauthenticated clients?

hth

Andy

0 Helpful

tiadmin11
Level 1
Level 1
In response to andrewswanson

‎04-04-2019 05:43 AM

I like this theory, port is absolutely open. But I'm pretty sure we're just using MS's time service. So my idea for the next time would be to force a time sync.
0 Helpful

tiadmin11
Level 1
Level 1
In response to andrewswanson

‎06-06-2019 04:51 PM

Time/Date didn’t resolve it :/

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-04-2019 05:11 AM

If you are using the Windows native supplicant and pushing the configuration via GPO ensure that you add the ISE certificate into the trusted root certificate authorities. For example, under the PEAP Properties I assume you have verify the server's identity by validating cert so you would need to add ISE cert. You can also configure this under 'select authenticaiton method' properties so double check that and run your test & monitor outcome. HTH!
0 Helpful
Customers Also Viewed These Support Documents