cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16872
Views
5
Helpful
2
Replies

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate

Hi Team,

 

 I am facing subjected error. this is new requirement to establish certificate based authentication wi-fi access.

Kindly suggest on this. 

Access Service DOTIX_WIFI

Authentication Method EAP-TLS

 

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15008 Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - DOTIX_WIFI
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting
EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started.
12914 Empty EAP-TLS session ticket received from supplicant

12911 The EAP-TLS session ticket received from supplicant while the stateless session
resume is disabled. Performing full authentication.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12808 Prepared TLS ServerKeyExchange message.
12809 Prepared TLS CertificateRequest message.
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12815 Extracted TLS Alert message.
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ACS
local-certificate
12507 EAP-TLS authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

The error you are seeing is quite directed in that it actually tells you that the client is rejecting ISE during the eap set up.

 

Is the certificate you assigned to EAP authentication on ISE, trusted by the client? This in itself has many possible steps to check. The trust chain must be installed on the client, either by default in OS install or pushed out by admins. 

 

The certificate has to be valid, both who it's signed for(ise nodes) and within the valid dates. 

 

One other thing I have come across is with windows native supplicants. In the connection profile, radius servers can be specified, if a radiius server not trusted in the list tries to authenticate the client, the client will reject it. 

 

If you're using a public CA issued cert for EAP, don't blindly assume client will trust it. Not all public CA trust chains are installed in operating systems by default. 

 

 

 

 

View solution in original post

Hi,

 

You need to add the CA-Certificate that signed the ISE identity certificate in the windows Certificate Store.

under " Trusted Root Certificate authorities" and also intermediate CAs if the CA that signed the certificate is a sub-CA.

 

View solution in original post

2 Replies 2

Damien Miller
VIP Alumni
VIP Alumni

The error you are seeing is quite directed in that it actually tells you that the client is rejecting ISE during the eap set up.

 

Is the certificate you assigned to EAP authentication on ISE, trusted by the client? This in itself has many possible steps to check. The trust chain must be installed on the client, either by default in OS install or pushed out by admins. 

 

The certificate has to be valid, both who it's signed for(ise nodes) and within the valid dates. 

 

One other thing I have come across is with windows native supplicants. In the connection profile, radius servers can be specified, if a radiius server not trusted in the list tries to authenticate the client, the client will reject it. 

 

If you're using a public CA issued cert for EAP, don't blindly assume client will trust it. Not all public CA trust chains are installed in operating systems by default. 

 

 

 

 

Hi,

 

You need to add the CA-Certificate that signed the ISE identity certificate in the windows Certificate Store.

under " Trusted Root Certificate authorities" and also intermediate CAs if the CA that signed the certificate is a sub-CA.