Re: 684510397 - UCM\\ Enable 802.1x\CAPF\phone not working\reference:684325552 - Page 2

mumustha · ‎05-29-2018

While authenticating phones signed by a CA-Signed CAPF, ISE fails to authenticate the phones with the error being, "client certificate is missing the complete chain".

On extracting the client certificate form the ISE pcaps, we observed the whole chain to be present in the certificate. However, the client complained that the Intermediate CA is not valid for the selected purpose, "This certificate does not appear to be valid for the selected purpose" (Attached as Client certificate)

On observing the logs it displays that, "Crypto,2018-05-22 02:36:24,630,DEBUG,0x7f67fae65700,NIL-CONTEXT,Crypto::Result=0,

CryptoLib.CSSL.x509ExceptionCallback - problematic certificate issuer=", which is followed by the Intermediate CA Subject.

All the certificates are enabled to perform server and client authentication. However, I observed that the Root CA had the key usage as "non-repudiation" as one of the attributes.

Could someone share a document or shed some light into the parameters that are required for the root certificates for a successful authentication of the client.

mumustha · ‎06-05-2018

The below document was shared with the customer : https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/212214-Tech-Note-on-CAPF-Certificate-Signed-by.html

hslai · ‎06-16-2018

I found an on-going ISE ESC case on this. Please continue with that case as this appears needing deep debugging to sort it out. Also see Requirements for CA to Interoperate with Cisco ISE in ISE compatibility guide.

mumustha · ‎06-17-2018

thank you for your inputs

vakolkargugg · ‎11-14-2019

I am facing similar issue - Did anyone get this working?