cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1358
Views
5
Helpful
10
Replies
Highlighted
Cisco Employee

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi Experts,

  1. Using windowns 802.1x suppliant in Cisco switch and Cisco wireless scenario. It works fine.
  2. Using Anyconnect NAM, it can work in Wireless scenario but failed in wired scenario.
  3. Using Anyconnect NAM with Cisco switch. User CAN NOT  login. ISE log said “12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate“.  no any invalide certificate waring message popped up.

ISE version is 2.3.0.298 , anyconnect version is 4.6.01098 pre-deploy package and we tried 4.5.05030. We tried in two win7 and one win10, same issue.

Any suggestion will be very appreciated!

Thanks

DL

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

View solution in original post

10 REPLIES 10
Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

View solution in original post

Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Adding to Nidhi... please check whether the option enabled [ V ] Validate Server Identity

Screen Shot 2018-06-13 at 7.26.32 PM.png

Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi hslai,

   I created a NAM.xml profile for anyconnect . It should put in %ProgramData%\Cisco\
Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles, right? And what name should it change to for AnyConnect can recognize and use it?

BR,

Alex

Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

You will have to rename it to configuration.xml and put it in c:/program data/cisco/cisco Anyconect secure mobility client/network access manager  . and reinitialize the connection.

Thanks,

Nidhi

Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Forgot to mention that Program data should be a hidden folder . So please change the settings to view the advance folder .

Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

With %programdata% in the address bar of the windows explorer would also take us there.

Screen Shot 2018-06-14 at 8.40.46 AM.png

Highlighted
Beginner

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi hslai
I am having same issue and same error message. ISE 2.3.0298 with our internal MS PKI cert. Do you mind advise how did you fix it? Best regards. Richard
Highlighted
Beginner

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hello Nidihi

I am having same issue and error message.

My client configuration file on Win7 is one more sub-folder:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network
Access Manager\system\configuration.xml

Is the above path correct?

BTW, the sub-folder \newConfigFiles is empty.

Please advise which folder the client configuration file should be. 

Thanks.

 

Richard

Highlighted
Cisco Employee

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

Creating a NAM profile and disable server validation in the profile.

Re: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

i had the same problem & exactly the same massage and when i disable server validation identity check box it works immediately and work fine.
Thanks alot