cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2455
Views
5
Helpful
10
Replies
yongwli
Cisco Employee

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi Experts,

  1. Using windowns 802.1x suppliant in Cisco switch and Cisco wireless scenario. It works fine.
  2. Using Anyconnect NAM, it can work in Wireless scenario but failed in wired scenario.
  3. Using Anyconnect NAM with Cisco switch. User CAN NOT  login. ISE log said “12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate“.  no any invalide certificate waring message popped up.

ISE version is 2.3.0.298 , anyconnect version is 4.6.01098 pre-deploy package and we tried 4.5.05030. We tried in two win7 and one win10, same issue.

Any suggestion will be very appreciated!

Thanks

DL

1 ACCEPTED SOLUTION

Accepted Solutions
Nidhi
Cisco Employee

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

View solution in original post

10 REPLIES 10
Nidhi
Cisco Employee

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

View solution in original post

hslai
Cisco Employee

Adding to Nidhi... please check whether the option enabled [ V ] Validate Server Identity

Screen Shot 2018-06-13 at 7.26.32 PM.png

wenzeng
Cisco Employee

Hi hslai,

   I created a NAM.xml profile for anyconnect . It should put in %ProgramData%\Cisco\
Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles, right? And what name should it change to for AnyConnect can recognize and use it?

BR,

Alex

Nidhi
Cisco Employee

You will have to rename it to configuration.xml and put it in c:/program data/cisco/cisco Anyconect secure mobility client/network access manager  . and reinitialize the connection.

Thanks,

Nidhi

Nidhi
Cisco Employee

Forgot to mention that Program data should be a hidden folder . So please change the settings to view the advance folder .

hslai
Cisco Employee

With %programdata% in the address bar of the windows explorer would also take us there.

Screen Shot 2018-06-14 at 8.40.46 AM.png

Hi hslai
I am having same issue and same error message. ISE 2.3.0298 with our internal MS PKI cert. Do you mind advise how did you fix it? Best regards. Richard

Hello Nidihi

I am having same issue and error message.

My client configuration file on Win7 is one more sub-folder:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network
Access Manager\system\configuration.xml

Is the above path correct?

BTW, the sub-folder \newConfigFiles is empty.

Please advise which folder the client configuration file should be. 

Thanks.

 

Richard

yongwli
Cisco Employee

Creating a NAM profile and disable server validation in the profile.

i had the same problem & exactly the same massage and when i disable server validation identity check box it works immediately and work fine.
Thanks alot
Content for Community-Ad