02-17-2015 03:58 PM - edited 03-10-2019 10:27 PM
I am a newbie in ISE and having problem in my first step in authentication. Please help.
I am trying to deploy a standalone Cisco ISE using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
Its working for few laptops and its not working of other few in the same site.
For testing purpose we have moved only 10 users. We will move more then 200 + users in few days. So have to fix this issue ASAP.
I know the clients is not accepting the certificate. But when i checked in working and non-working laptop certification is same.
Please help me in this ASAP.Thanks in advance.
Regards,
02-18-2015 12:40 AM
What type of certificate do you currently have installed on ISE and attached to the EAP protocol? For example, do you have a public, private or the self-signed certificate?
At the end of the day, the Certificate Authority (CA) that signed the ISE certificate would needs to be listed in trusted CA store on each authenticating endpoint that is performing PEAP. If it is not then the EAP tunnel creation would fail due to the client not trusting the ISE certificate.
I hope this helps!
Thank you for rating helpful posts!
02-18-2015 01:22 AM
02-18-2015 01:39 AM
Its selected in the working and non working laptops. Will this make difference?
How can i manually set it to trust the rootCA that signed the ISE certificate
02-18-2015 03:20 AM
The option has to be selected for security reason.
Yes its work when i disable it. I cant disable due to security reason
We have pussed the settings using GP
02-18-2015 01:41 AM
Do you find this issue only on a particular clients (type/OS?) . What is the suppliant being used.
Is the CA certificate in the current user store, local machine store, or both? Make sure cert is flagged for HTTPS use, verify expiry date, and is present on the PSN performing the auth
02-18-2015 03:21 AM
Yes, we have only for few users. Windows7. We have controller for suppliant.
CA certificate is in local machine.
We will push all the settings using group policy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide