06-02-2017 02:23 PM - edited 03-11-2019 12:45 AM
Hi,,
I restored the CFG backup and Int CA Store Export from a ISE 1.4 node to a new ISE 2.1. After the restore of CFG and import of ISE CA Store, my BYOD clients with the old ISE 1.4 endpoint certificate can connect to the new ISE 2.1 without any problems.
However, when I regenerate the ISE Root CA and Refresh/Renew the OCSP Responder CA certificate in the ISE 2.1, I am able to onboard new BYOD clients and connect to the EAP SSID with new ISE 2.1 CA cert without any issues. BUT the BYOD clients with CA certs from the original ISE 1.4 cannot connect. The OCSP check fails and shows the following errors:
:
12557 User Auth failed because OCSP status is unknown
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12568 Lookup user certificate status in OCSP cache - certificate for ssawo
12569 User certificate status was not found in OCSP cache - certificate for ssawo
12988 Take OCSP servers list from OCSP service configuration - certificate for ssawo
12550 Sent an OCSP request to the primary OCSP server for the CA - Internal OCSP Server
12567 OCSP server response signature verification failed - certificate for ssawo
12552 Conversation with OCSP server ended with failure - certificate for ssawo
12572 OCSP response not cached - certificate for ssawo
12556 OCSP status of user certificate is unknown - certificate for ssawo
12557 User Auth failed because OCSP status is unknown - certificate for ssawo
12811 Extracted TLS Certificate message containing client certificate
12814 Prepared TLS Alert message
12817 TLS handshake failed
12518 EAP-TLS failed SSL/TLS handshake because of a bad certificate in the client certificate chain
12507 EAP-TLS authentication failed
Please can you help to resolve this problem.
Many thanks
Sankung
UNICEF
06-03-2017 11:38 PM
Basically I am following the below Cisco TAC Guide to implement this BYOD migration from ISE 1.4 to 2.1.
According to this guide there are two options:
Option 1: new ISE 2.1 platform use the CA Certs and Signing Keys of the old ISE CA - by Importing ISE Int CA Cert store and keys from from the old to new platform
Option 2 (recommended): new ISE 2.1 platform use new Root CA Certs and Keys – by regenerating ISE Root CA and Renew OCSP Responder after restoring data from old ISE platform
My objectives are:
Based on these objectives you can see that Migration option #2 is more appropriate for me and thus I proceeded to do this.
The problem is that ISE 2.1 does not seem to support what the guide says about Option #2 – or maybe I missed something in my configuration. Thus I need help!
Note that Option #1 works fine : ISE 2.1 issues NEW endpoint certs using the old ISE 1.4 CA Cert and Signing Keys and OCSP Responder. I have no problem with this except that I WOULD NOT want to continue using the old ISE 1.4 CA Cert and keys to sign new endpoint certs. The CA signed Cert issued to endpoints bears the signature of the old ISE platform - NOT NICE!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide