11-06-2017 11:56 PM
Hi Team,
Facing an issue while importing certificate in the ISE 2.3 PoV. The onsite partner has clarified that the CSR file created and signed by the CA (digicert is used for signing the request) has been created as per the documented process but at the time of importing throws the error of Certificate/Private Key validation failed. The error is as attached here.
Kindly suggest for any specific conditions to be checked on the same.
Solved! Go to Solution.
11-10-2017 04:29 AM
Self signed cents in testing will fail for some clients! For example Apple iOS byod onboarding in latest builds has been secured by Apple and will present awful onboarding experience for the user as they will have to manually trust certificate after going through byod flow and have to go through it again
Guest redirects may fail in latest browsers as vendors are cracking down on bad certificate and best practice
Do not deploy self signed certs in production
Please see admin guide recommendation of using well known certificate with wildcard in the SAN for a good solution
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html?bookSearch=true#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2
11-07-2017 01:13 AM
I think this is because missing ROOT CA in trusted store .This will help you How To: Implement ISE Server-Side Certificates
11-10-2017 01:27 AM
Hi,
Thanks for the response.
We have managed to solve the issue with wildcard certificate signed by CSR generated from ISE. We also understand that the customer is currently having a wildcard certificate in their internal CA hence we need the wildcard certificate for the ISE portals and functionalities which is not working since the Windows clients rejects certificate with * in the CN name. In this case if we uncheck the Validate Server Certificate the redirection but still it is not working.
Kindly clarify if we can use self signed certificate to achieve the ISE AAA, BYOD and posture capabilities.
11-10-2017 01:33 AM
Hi again yes you can use self signed certificate for different portals.Just go in certificate authority system certificates choose self-sign certificate and edit it to use for portals .
11-10-2017 04:29 AM
Self signed cents in testing will fail for some clients! For example Apple iOS byod onboarding in latest builds has been secured by Apple and will present awful onboarding experience for the user as they will have to manually trust certificate after going through byod flow and have to go through it again
Guest redirects may fail in latest browsers as vendors are cracking down on bad certificate and best practice
Do not deploy self signed certs in production
Please see admin guide recommendation of using well known certificate with wildcard in the SAN for a good solution
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0110.html?bookSearch=true#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2
11-13-2017 10:32 PM
Hi Jason,
Thanks for the clarification and suggestion.
We will work on the same and let you know in case of any further queries.
Best Regards,
Yogesh Madhekar
11-15-2017 12:40 AM
There is a document for guest wired access ,what kind of acl you use,
Central Web Authentication with a Switch and Identity Services Engine Configuration Example - Cisco
Also you can check Cisco Identity Services Engine Network Component Compatibility, Release 2.3 - Cisco
11-15-2017 08:29 PM
We are using self signed certificate but the issue is that the redirection is not working, getting the error screenshot as mentioned above with error as stated here:
After diagnosing the issue, it has been found that the Radius Authentication is failing on the Cisco Attribute Value (Cisco AVpair) "coa-skip-logical-profile="
Has anyone got any idea into this error?
11-16-2017 04:02 AM
call the tac to debug switching issues
11-16-2017 11:08 AM
Known bugs:
CSCvg70582 (ISE bug)
CSCsx97093 (Switch bug)
02-18-2020 10:31 AM
I had the same problem today, 2/17/2020.
The problem is the format of the certificates.
The Certificate must be in .PEM or .DER format.
The Private Key must be in .KEY format.
Obeying these requirements, and using the correct password, the procedure works.
Here I imported DigiCert's Root, but I don't know if this step is really necessary, in any case it doesn't hurt.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide