Android rejecting ISE's publicly-signed certificate?

zmainedsnz · ‎05-06-2013

We have recently deployed a VeriSign certificate on ISE for both HTTPS and EAP, it uses a corporate CA to generate and push out user certs. It seems to work on all devices but Android.

The Android device successfully completes onboarding process, but when it tries to connect using EAP-TLS, it fails and the following error shows on the ISE:

"Authentication failed: 12520 EAP-TLS filed SSL/TLS handshake because the client rejectd the ISE local-certificate"

It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices. I can't understand why would the client not trust validate the VeriSign certificate.

Has anyone seen this before? Does the client need a corporate root certificate chain to trust the user certificate it has been privisoned with? Could that be the problem?

The ISE is running v1.1.3 patch 1

minkumar · ‎05-06-2013

Hi

The error message means:

This is an indication that the client does not have or does not trust the Cisco ISE certificates.

        
 For both the client/server certs, If  there are multiple levels  in the cert chain (Intermediate certs) and if so, you need to make sure that intermediate 
certs been installed in ISE and in the client machine as well.


 - Could you provide me the model and make of the supplicant, you  have been facing issue with? Is it Android  4.1.x. Also is it happening with justone client or with all of the clients?



I would strongly suggest you to install all the chain certs in both ISE and CLIENT ,test it and let me know if it helped.




Regards
Minakshi (Do rate the helpful posts  )

zmainedsnz · ‎05-06-2013

Thanks. Do we know which side has the issue?

As we migrated from a full internal CA configuration and the ISE has all the trusted root certs of internal CAs. I am drawing the conclusion that it is the client side rejecting the ISE cert. But it has been verified the VeriSign Cert did get pushed out and I thought even nothing got pushed out, VeriSign cert would still work due to its wide support?

In addition, the fact that it works on iOS makes me think it is an Android specific issue. Will get back to do more checks along the chain. Is there a way to push out the internal trust chain together with the VeriSign trust chain?

Thanks for your help.

Jatin Katyal · ‎05-06-2013

Error states the client couldn't trust the policy service node certificate. Since it's working for other supplicant's and just not with android, we need to look down first at supplicant side.

As per the error, we need to ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. You wrote:

It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices.

Let's set the runtime-aaa and runtime-config logs at debug level under administration || logging || debug log configuration --- Save it.

Reproduce the issue from the android supplicant.

Operation || troubleshoot || download logs || tick only

Include debug logs

Include monitoring and reporting logs

Include most recent file = 1

Add the encryption key

Generate the bundle.

Jatin Katyal

- Do rate helpful posts -

~Jatin

minkumar · ‎05-07-2013

Hi

Did you install the whole chain on the client as well? Coz the issue looks like to be on the client side, also, if you could give me the android version as well which is causing issue?

Do test the authentication after installing the chain certificates on the client and see if that resolves the issue.

Regards

Minakshi (Do rate the helpful posts )

mojuneja · ‎05-08-2013

Please check the android OS version you are using, and refer following. Afterwards take the action accordingly.

manjeets · ‎05-20-2013

Agree with Mohit,

Kindly review the attached.