Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
54862
Views
25
Helpful
9
Replies

Cisco ISE authentication failed because client reject certificate

Go to solution
ratnapurnama
Level 1
Level 1

‎01-02-2013 08:13 PM - edited ‎03-10-2019 07:56 PM

Hi Experts,

I am a newbie in ISE and having problem in my first step in authentication. Please help.

I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :

Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.

Regards,

Ratna

11 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-02-2013 10:47 PM

Hi,

The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

9 Replies 9

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-02-2013 10:47 PM

Hi,

The error you are seeing in ISE is pointing to your client, if you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing. You can try to remove this wireless network profile, and recreate it and see if the pop up appears which asks you to validate the server's identity.

Thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
ratnapurnama
Level 1
Level 1
In response to Tarik Admani

‎01-03-2013 12:32 AM

It works! Thanks a lot Tarik

0 Helpful

Go to solution
Jaaazman777
Level 1
Level 1
In response to Tarik Admani

‎03-26-2013 01:51 AM

Hello!

We have the same problen in out BYOD deployment.

Is there any way to tell client to accept the root certificate without manual configuration of the wifi-profile?

The concept of BYOD suppose that you bring of your device without any preconfigured wifi-profiles and installed certificates.

0 Helpful

Go to solution
bhthapa
Level 1
Level 1
In response to Jaaazman777

‎04-10-2013 10:51 AM

This issue occurs with authentication protocols that require  certificate validation.

Possible Authentications report failure reasons:

1.Authentication failed: 11514 Unexpectedly received empty TLS message;

treating as a rejection by the client”

2.Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because

the client rejected the Cisco ISE local-certificate”

The supplicant or client machine is not accepting the certificate from  Cisco ISE. The client machine is configured to validate the server  certificate, but is not. Need to configured to trust between the Cisco  ISE certificate.

The client machine must accept the Cisco ISE certificate to enable  authentication.

As per your confirmation, I am going to close the case for this specific  inquiry. We strive to provide you with excellent service. Please feel  free to reach out to me or any member of the SAC team if we can be of  any further assistance or if you have any other related questions in the  future. We value your input and look forward to serving you moving  forward.

0 Helpful

Go to solution
coreycomputer
Level 1
Level 1
In response to Tarik Admani

‎11-01-2018 01:06 PM

hey may i ask how you do that.  I am digging into ISE and trying to do some deployments for my company. 

0 Helpful

Go to solution
Naveen Kumar
Level 4
Level 4

‎04-10-2014 09:58 PM

Possible Causes for this issue

The supplicant or client machine is not accepting the certificate from Cisco ISE.

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎06-02-2014 02:24 AM

Certificate-Based User Authentication via Supplicant Failing
Symptoms or
Issue
User authentication is failing on the client machine, and the user is receiving a
“RADIUS Access-Reject” form of message.
Conditions (This issue occurs with authentication protocols that require certificate validation.)
Possible Authentications report failure reasons:
• “Authentication failed: 11514 Unexpectedly received empty TLS message;
treating as a rejection by the client”
• “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
the client rejected the Cisco ISE local-certificate”
Click the magnifying glass icon from Authentications to display the following output
in the Authentication Report:
• 12305 Prepared EAP-Request with another PEAP challenge
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is reusing an existing session
• 12304 Extracted EAP-Response containing PEAP challenge-response
• 11514 Unexpectedly received empty TLS message; treating as a rejection by the
client
• 12512 Treat the unexpected TLS acknowledge message as a rejection from the
client
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
• 11006 Returned RADIUS Access-Challenge
• 11001 Received RADIUS Access-Request
• 11018 RADIUS is re-using an existing session
• 12104 Extracted EAP-Response containing EAP-FAST challenge-response
• 12815 Extracted TLS Alert message
• 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
Cisco ISE local-certificate
• 11504 Prepared EAP-Failure
• 11003 Returned RADIUS Access-Reject
Note This is an indication that the client does not have or does not trust the Cisco
ISE certificates.
Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
The client machine is configured to validate the server certificate, but is not
configured to trust the Cisco ISE certificate.
Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

0 Helpful

Go to solution
vitorio.urashima
Level 1
Level 1
In response to Venkatesh Attuluri

‎07-29-2016 01:18 PM

Found similar problem and after checking all suggestions here without success, I recreated the ISE certificate (LAB environment) and everything started to work as expected...

0 Helpful

Go to solution
coreycomputer
Level 1
Level 1

‎11-03-2018 12:53 PM

actually the issue was i was using EAP-Fast and you got to use the NAM agent with anyconnect for it to work.  Also you have to put the ISE certificate in the registry of pc for it to be trusted and work.  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents