Solved: Re: Behavor differtent user Ise certificates - Page 2

athan1234 · ‎11-25-2022

Hello

Someone please explain the issue with Eap-Tls.

athan1234 · ‎12-07-2022

@Arne Bier wrote:
The ISE Error detail gives a hint about the client perhaps not trusting the ISE EAP certificate. The clients MUST have all the CA certificates that were used in signing the ISE EAP System certificate installed.
Have you checked that all of the PSNs have the correct and expected EAP System certificate (signed by the PKI CA that the clients can trust? Each PSN can have its own EAP System cert ... if you have many PSNs then it's easy to not notice that at first glance)
I am checking again it is increible I am seeing same node diferent name who it is possible wha is the propuse to have it this way oh my good
I created a CSR with name of node ISE i belive it was the problem

It is incredible, so I'm checking it again everything . I notice the same node with a different name; what is the proposed for it ? I can not uderstand it .Oh, goodness

I am seeeing a certificate with this name state ? without check any opcion

In this certificate I am watching the opcion uncheck do you thhink if I ccheck the opcions admin and EAP authentificacion it will works

///
I believed the issue was the node ISE, thus I established a CSR with that name ABTLPC02. I am making a dnslookup and the result for this ise node is a diferent IP

Milos_Jovanovic · ‎12-08-2022

I'm lost now. How many ISE servers are you using, and in what kind of deployment? Based on your DNS lookup, you have 2 of them - ABTLPC01 and ABTLPC02. Based on the screenshot provided above, you are using a single-node deployment of ABTLPC02. Also, on a screenshot above, you are presenting a cert screenshot of ABTLPC01, which is not part of the deployment?

Please clarify this, to start with. You should also check what is configured on your WLC, just to be clear which ISE node(s) is in use.

Kind regards,

Milos

athan1234 · ‎12-08-2022

Hi @Milos Jovanovic
Like you, I am lost.
I think the issue is related to DNS reverse.

I can see Only one ISE node exists.IP 10.76.33.102 for ABTLPC02

However, if I perform a nslookup on this ISE hostname, XXXXX, its IP address is 10.x.x.x, but it is not HTTP-reachable, suggesting that this IP is not an ISE node

As a result, if you see this certificate: The ISE is resolved by all of the subject alternative neme (SAN), whnw i puting in the browser each SAN : abtlpc01.abanteasesores.es or bienvenido.avanteasesores.com . get in in the node ise with hostname ABTLPC02

Because of these factors, the ISE node's hostname is 10.x.x.x. 102 hostname is xxxxxx.

WLC

I can see two IP addresses, however the IP 10.76.33.103 cannot be accessed via HTTP.

Milos_Jovanovic · ‎12-08-2022

If this is the case, let's go in in reverse:

Based on WLC configuration, ISE in use has IP 10.76.33.102 (more relevant screenshot would be from WLAN configuration, AAA section, but based on offered IPs and previus screenshots, this would be the best match)
Behind IP address 10.76.33.102 is ISE with hostname ABTLPC02
You need to fix DNS records, both forward and reverse, so it represents real hostname and IP address
Given that your hostname is ABTLPC02, and your screenshots - your certificate is not ok, as it is issued to ABTLPC01, so the cert warning is actually expected
You could do one of the following:
- Get certificate for ABTLPC02, and apply it for relevant roles (Admin, EAP-TLS)
- Reimage ISE, name it ABTLPC01, fix DNS records accordingly, and re-apply existing certificate
- Play arround with authorization policy and instead of returning default ISE hostname, return static FQDN of ABTLPC01

Given that your cert is issued by internal PKI, easiest one is to issue certificate for ABTLPC02, and relevant SANs.

Kind regards,

Milos

athan1234 · ‎12-08-2022

Hello, @Milos Jovanovic.
Thank you for your response. Keep in mind that when I first encountered this client, I had no prior knowledge of it. When I discovered that the hostname was ABTPCL02, I searched for certificates related to it but couldn't find any, so I created a new certificate with that hostname. It was only after I discovered that the user couldn't connect that I opened this post.

What is the best practice in this situation to modify the host name to ABTLPC01 add the current certificate, and check that the EAP and Admin options are functional?

or If I used my certificate, I would need to get in touch with the guys AD and ask them to perform a reverse DNS lookup.

What is the ideal method?

Milos_Jovanovic · ‎12-08-2022

For changing the hostaname, you need to do reimage of ISE node.

For checking Admin role (and which certificate is in use), you need to do HTTPS to ISE Web interface. For EAP-TLS, you need to run dot1x and to verify it.

Kind regards,

Milos

athan1234 · ‎12-14-2022

My customer fixed it.the resolution DNS is now correct, yet the issue still exists.

Milos_Jovanovic · ‎12-15-2022

Have you also assigned proper cert for EAP-TLS ISE role?

Kind regards,

Milos

athan1234 · ‎12-16-2022

Hello @Milos_Jovanovic , I appreciate your response.
I resolved the DNS issue and discovered the issue.
Yesterday I changed a PC, and it now functions.
I'll start up the path on Monday.
I'm hoping the issue got solved.

The issue:

https://learn.microsoft.com/en-us/answers/questions/467673/windows-10-tpm-20-client-authentication-in-tls-12.html