Cisco ISE 2.1 BYOD - OCSP Responder Unknown Error

sawosankung · ‎06-02-2017

Hi,,
I restored the CFG backup and Int CA Store Export from a ISE 1.4 node to a new ISE 2.1. After the restore of CFG and import of ISE CA Store, my BYOD clients with the old ISE 1.4 endpoint certificate can connect to the new ISE 2.1 without any problems.

However, when I regenerate the ISE Root CA and Refresh/Renew the OCSP Responder CA certificate in the ISE 2.1, I am able to onboard new BYOD clients and connect to the EAP SSID with new ISE 2.1 CA cert without any issues. BUT the BYOD clients with CA certs from the original ISE 1.4 cannot connect. The OCSP check fails and shows the following errors:
:
12557 User Auth failed because OCSP status is unknown

12504 Extracted EAP-Response containing EAP-TLS challenge-response
12568 Lookup user certificate status in OCSP cache - certificate for ssawo
12569 User certificate status was not found in OCSP cache - certificate for ssawo
12988 Take OCSP servers list from OCSP service configuration - certificate for ssawo
12550 Sent an OCSP request to the primary OCSP server for the CA - Internal OCSP Server
12567 OCSP server response signature verification failed - certificate for ssawo
12552 Conversation with OCSP server ended with failure - certificate for ssawo
12572 OCSP response not cached - certificate for ssawo
12556 OCSP status of user certificate is unknown - certificate for ssawo
12557 User Auth failed because OCSP status is unknown - certificate for ssawo
12811 Extracted TLS Certificate message containing client certificate
12814 Prepared TLS Alert message
12817 TLS handshake failed
12518 EAP-TLS failed SSL/TLS handshake because of a bad certificate in the client certificate chain
12507 EAP-TLS authentication failed

Please can you help to resolve this problem.

Many thanks
Sankung
UNICEF

sawosankung · ‎06-03-2017

Basically I am following the below Cisco TAC Guide to implement this BYOD migration from ISE 1.4 to 2.1.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_01011.html

According to this guide there are two options:

Option 1: new ISE 2.1 platform use the CA Certs and Signing Keys of the old ISE CA - by Importing ISE Int CA Cert store and keys from from the old to new platform

Option 2 (recommended): new ISE 2.1 platform use new Root CA Certs and Keys – by regenerating ISE Root CA and Renew OCSP Responder after restoring data from old ISE platform

My objectives are:

Deploy BYOD on new ISE 2.1 PAN cluster
Migrate the ISE CA Store and Endpoint certificates from Current ISE 1.4 to the new 2.1 platform
The new ISE 2.1 CA issue endpoint certificates to new BYOD clients based on the new ISE 2.1 Root CA Cert and keys
The new ISE 2.1 CA authenticate clients with endpoint certs from the old ISE 1.4 CA
Decommission the old ISE 1.4 platform completely

Based on these objectives you can see that Migration option #2 is more appropriate for me and thus I proceeded to do this.

The problem is that ISE 2.1 does not seem to support what the guide says about Option #2 – or maybe I missed something in my configuration. Thus I need help!

Note that Option #1 works fine : ISE 2.1 issues NEW endpoint certs using the old ISE 1.4 CA Cert and Signing Keys and OCSP Responder. I have no problem with this except that I WOULD NOT want to continue using the old ISE 1.4 CA Cert and keys to sign new endpoint certs. The CA signed Cert issued to endpoints bears the signature of the old ISE platform - NOT NICE!