05-06-2013 05:33 PM - edited 03-10-2019 08:24 PM
We have recently deployed a VeriSign certificate on ISE for both HTTPS and EAP, it uses a corporate CA to generate and push out user certs. It seems to work on all devices but Android.
The Android device successfully completes onboarding process, but when it tries to connect using EAP-TLS, it fails and the following error shows on the ISE:
"Authentication failed: 12520 EAP-TLS filed SSL/TLS handshake because the client rejectd the ISE local-certificate"
It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices. I can't understand why would the client not trust validate the VeriSign certificate.
Has anyone seen this before? Does the client need a corporate root certificate chain to trust the user certificate it has been privisoned with? Could that be the problem?
The ISE is running v1.1.3 patch 1
05-06-2013 05:57 PM
Hi
The error message means:
This is an indication that the client does not have or does not trust the Cisco ISE certificates.
For both the client/server certs, If there are multiple levels in the cert chain (Intermediate certs) and if so, you need to make sure that intermediate certs been installed in ISE and in the client machine as well.
- Could you provide me the model and make of the supplicant, you have been facing issue with? Is it Android 4.1.x. Also is it happening with justone client or with all of the clients?I would strongly suggest you to install all the chain certs in both ISE and CLIENT ,test it and let me know if it helped.
Regards
Minakshi (Do rate the helpful posts )
05-06-2013 06:21 PM
Thanks. Do we know which side has the issue?
As we migrated from a full internal CA configuration and the ISE has all the trusted root certs of internal CAs. I am drawing the conclusion that it is the client side rejecting the ISE cert. But it has been verified the VeriSign Cert did get pushed out and I thought even nothing got pushed out, VeriSign cert would still work due to its wide support?
In addition, the fact that it works on iOS makes me think it is an Android specific issue. Will get back to do more checks along the chain. Is there a way to push out the internal trust chain together with the VeriSign trust chain?
Thanks for your help.
05-06-2013 06:28 PM
Error states the client couldn't trust the policy service node certificate. Since it's working for other supplicant's and just not with android, we need to look down first at supplicant side.
As per the error, we need to ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. You wrote:
It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices.
Let's set the runtime-aaa and runtime-config logs at debug level under administration || logging || debug log configuration --- Save it.
Reproduce the issue from the android supplicant.
Operation || troubleshoot || download logs || tick only
Include debug logs
Include monitoring and reporting logs
Include most recent file = 1
Add the encryption key
Generate the bundle.
Jatin Katyal
- Do rate helpful posts -
05-07-2013 01:10 PM
Hi
Did you install the whole chain on the client as well? Coz the issue looks like to be on the client side, also, if you could give me the android version as well which is causing issue?
Do test the authentication after installing the chain certificates on the client and see if that resolves the issue.
Regards
Minakshi (Do rate the helpful posts )
05-08-2013 04:50 AM
Please check the android OS version you are using, and refer following. Afterwards take the action accordingly.
05-20-2013 04:38 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide