cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2102
Views
0
Helpful
6
Replies

Cisco ISE authentication failed because client reject certificate

S. ANIL
Level 1
Level 1

I am a newbie in ISE and having problem in my first step in authentication. Please help.

I am trying to deploy a standalone Cisco ISE using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :

Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

 

Its working for few laptops and its not working of other few in the same site.

For testing purpose we have moved only 10 users. We will move more then 200 + users in few days. So have to fix this issue ASAP.

I know the clients is not accepting the certificate. But when i checked in working and non-working laptop certification is same.

Please help me in this ASAP.Thanks in advance. 

Regards,

6 Replies 6

nspasov
Cisco Employee
Cisco Employee

What type of certificate do you currently have installed on ISE and attached to the EAP protocol? For example, do you have a public, private or the self-signed certificate?

At the end of the day, the Certificate Authority (CA) that signed the ISE certificate would needs to be listed in trusted CA store on each authenticating endpoint that is performing PEAP. If it is not then the EAP tunnel creation would fail due to the client not trusting the ISE certificate.

I hope this helps!

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!

mohanak
Cisco Employee
Cisco Employee

If you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing.

Its selected in the working and non working laptops. Will this make difference?

How can i manually set it to trust the rootCA that signed the ISE certificate

 

The option has to be selected for security reason.

Yes its work when i disable it. I cant disable due to security reason

We have pussed the settings using GP 

 

Venkatesh Attuluri
Cisco Employee
Cisco Employee

Do you find this issue only on a particular  clients (type/OS?) . What is the suppliant being used.
Is the CA certificate in the current user store, local machine store, or both? Make sure cert is flagged for HTTPS use, verify expiry date, and is present on the PSN performing the auth

Yes, we have only for few users. Windows7. We have controller for suppliant. 

CA certificate is in local machine. 

We will push all the settings using group policy