cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

33743
Views
25
Helpful
9
Replies
Highlighted
Beginner

Cisco ISE authentication failed because client reject certificate

Hi Experts,

I am a newbie in ISE and having problem in my first step in authentication. Please help.

I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :

Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.

Regards,

Ratna

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Cisco ISE authentication failed because client reject certificat

Hi,

The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

9 REPLIES 9
Highlighted
Advocate

Cisco ISE authentication failed because client reject certificat

Hi,

The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted
Beginner

Cisco ISE authentication failed because client reject certificat

It works! Thanks a lot Tarik

Highlighted
Beginner

Re: Cisco ISE authentication failed because client reject certif

Hello!

We have the same problen in out BYOD deployment.

Is there any way to tell client to accept the root certificate without manual configuration of the wifi-profile?

The concept of BYOD suppose that you bring of your device without any preconfigured wifi-profiles and installed certificates.

Highlighted
Beginner

Cisco ISE authentication failed because client reject certificat

This issue occurs with authentication protocols that require  certificate validation.

Possible Authentications report failure reasons:

1.Authentication failed: 11514 Unexpectedly received empty TLS message;

treating as a rejection by the client”

2.Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because

the client rejected the Cisco ISE local-certificate”

The supplicant or client machine is not accepting the certificate from  Cisco ISE. The client machine is configured to validate the server  certificate, but is not. Need to configured to trust between the Cisco  ISE certificate.

The client machine must accept the Cisco ISE certificate to enable  authentication.

As per your confirmation, I am going to close the case for this specific  inquiry. We strive to provide you with excellent service. Please feel  free to reach out to me or any member of the SAC team if we can be of  any further assistance or if you have any other related questions in the  future. We value your input and look forward to serving you moving  forward.

Highlighted
Beginner

Re: Cisco ISE authentication failed because client reject certificat

hey may i ask how you do that.  I am digging into ISE and trying to do some deployments for my company. 

Highlighted
Enthusiast

Possible Causes for this

Possible Causes for this issue

The supplicant or client machine is not accepting the certificate from Cisco ISE.

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

Highlighted
Cisco Employee

Certificate-Based User

Certificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

Highlighted

Found similar problem and

Found similar problem and after checking all suggestions here without success, I recreated the ISE certificate (LAB environment) and everything started to work as expected...

Highlighted
Beginner

Re: Cisco ISE authentication failed because client reject certificate

actually the issue was i was using EAP-Fast and you got to use the NAM agent with anyconnect for it to work.  Also you have to put the ISE certificate in the registry of pc for it to be trusted and work.