01-02-2013 08:13 PM - edited 03-10-2019 07:56 PM
Hi Experts,
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
Regards,
Ratna
Solved! Go to Solution.
01-02-2013 10:47 PM
Hi,
The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-02-2013 10:47 PM
Hi,
The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-03-2013 12:32 AM
It works! Thanks a lot Tarik
03-26-2013 01:51 AM
Hello!
We have the same problen in out BYOD deployment.
Is there any way to tell client to accept the root certificate without manual configuration of the wifi-profile?
The concept of BYOD suppose that you bring of your device without any preconfigured wifi-profiles and installed certificates.
04-10-2013 10:51 AM
This issue occurs with authentication protocols that require certificate validation.
Possible Authentications report failure reasons:
1.Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
2.Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
The supplicant or client machine is not accepting the certificate from Cisco ISE. The client machine is configured to validate the server certificate, but is not. Need to configured to trust between the Cisco ISE certificate.
The client machine must accept the Cisco ISE certificate to enable authentication.
As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.
11-01-2018 01:06 PM
hey may i ask how you do that. I am digging into ISE and trying to do some deployments for my company.
04-10-2014 09:58 PM
06-02-2014 02:24 AM
Certificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication.
07-29-2016 01:18 PM
Found similar problem and after checking all suggestions here without success, I recreated the ISE certificate (LAB environment) and everything started to work as expected...
11-03-2018 12:53 PM
actually the issue was i was using EAP-Fast and you got to use the NAM agent with anyconnect for it to work. Also you have to put the ISE certificate in the registry of pc for it to be trusted and work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide