Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2564
Views
10
Helpful
2
Replies

12520 EAP-TLS failed SSL/TLS handshake in ISE 2.1

N3t W0rK3r
Level 3
Level 3

‎11-22-2017 09:27 AM - edited ‎02-21-2020 10:39 AM

We are running ISE 2.1 patch 2 in a 4 node deployment, 2 PANs, 2 PSNs.

 

We are trying to get EAP-TLS setup to authenticate our Windows wireless clients to our new wireless network,

 

The ISE servers have our internal root CA and intermediate CA certs installed and trusted and user/machine certs are present on the client.

 

When I client tries to connect to our test SSID, it fails, and I see this error in the Radius live log.

 

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

 

We have tried unchecking "validate server cert" on the client's wifi profile, but we get the same result.

 

Any ideas?? I have seen other posts here about similar problems but with different versions of ISE.

 

Thanks in advance.

 

John

Labels:
0 Helpful
2 Replies 2

ajc
Level 7
Level 7

‎11-22-2017 11:56 AM

Looks like the ISE Certificate for EAP-TLS was not signed by your internal PKI and that's why it is rejected by the enduser device. You should have something like this on ISE primary PAN and PSN's.

 

CERT.png

 

 

ajc
Level 7
Level 7

‎11-22-2017 11:59 AM

BTW, EAP-TLS is a 2 WAY CERTIFICATE VALIDATION, so you cannot disable on the enduser device profile the "VALIDATE SERVER CERTIFICATE".

Customers Also Viewed These Support Documents