Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3544
Views
10
Helpful
2
Replies

Cisco ISE 2.3p6 - EAP Wildcard Certificate

Go to solution
pgiouvanellis
Level 1
Level 1

‎02-14-2020 06:10 AM

Hello all ,

 

We have changed the EAP certificate with a wildcard .

 

Since then from windows supplicant we are getting the below error : 

 

"EAP Root cause String: The authentication failed because the certificate on the server
computer does not have a server name specified"

 

The EAP certificate on CN has the follow value : 

 

CN=*.companyname.com

 

and on SAN has the below value 

 

DNS Name=*.companyname.gr

 

On ISE when a client tries to connect we get the follow log : 

 

 

Event

5400 Authentication failed

Failure Reason

12511 Unexpectedly received TLS alert message; treating as a rejection by the client

Resolution

Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Root cause

While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

 

 

Is anyone know if it is possible to bypass this error and manage to connect to network ? 

 

Thank You ,

Palaiologos

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎02-16-2020 04:44 PM

It's a well documented fact that wildcard in a Subject Common Name will break EAP authentication with Windows supplicants.

 

The preferred method is to use a Subject Common Name that does not contain a wildcard. The SAN should contain the list of FQDNs of all the EAP servers.

 

I believe there is one way to circumvent this Windows limitation: Wildcard in Subject CN if and only if, the SAN contains the FQDN of the affected ISE nodes (and no wildcards in the SAN).

 

The notes above pertain only to EAP. For web portal and Admin there are issues with wildcards in the Subject CN. Although wildcard in Subject CN is a deprecated thing. Modern browsers will look in the SAN if one is present and ignore what's in the Subject CN

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-14-2020 06:17 AM

When you do wildcard certificates, the Subject/CN should be one of the ISE node's FQDN.  Then you put the wildcard within a SAN field.  That is what you will need to do to resolve this issue.  If you try to bypass the error and connect anyway, then you are reducing the level of security and opening your clients up to potential man-in-the-middle attacks.

Go to solution
Arne Bier
VIP
VIP

‎02-16-2020 04:44 PM

It's a well documented fact that wildcard in a Subject Common Name will break EAP authentication with Windows supplicants.

 

The preferred method is to use a Subject Common Name that does not contain a wildcard. The SAN should contain the list of FQDNs of all the EAP servers.

 

I believe there is one way to circumvent this Windows limitation: Wildcard in Subject CN if and only if, the SAN contains the FQDN of the affected ISE nodes (and no wildcards in the SAN).

 

The notes above pertain only to EAP. For web portal and Admin there are issues with wildcards in the Subject CN. Although wildcard in Subject CN is a deprecated thing. Modern browsers will look in the SAN if one is present and ignore what's in the Subject CN

 

0 Helpful
Customers Also Viewed These Support Documents