Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2104
Views
0
Helpful
6
Replies

Cisco ISE authentication failed because client reject certificate

S. ANIL
Level 1
Level 1

‎02-17-2015 03:58 PM - edited ‎03-10-2019 10:27 PM

I am a newbie in ISE and having problem in my first step in authentication. Please help.

I am trying to deploy a standalone Cisco ISE using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :

Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

 

Its working for few laptops and its not working of other few in the same site.

For testing purpose we have moved only 10 users. We will move more then 200 + users in few days. So have to fix this issue ASAP.

I know the clients is not accepting the certificate. But when i checked in working and non-working laptop certification is same.

Please help me in this ASAP.Thanks in advance. 

Regards,

Labels:
0 Helpful
6 Replies 6

nspasov
Cisco Employee
Cisco Employee

‎02-18-2015 12:40 AM

What type of certificate do you currently have installed on ISE and attached to the EAP protocol? For example, do you have a public, private or the self-signed certificate?

At the end of the day, the Certificate Authority (CA) that signed the ISE certificate would needs to be listed in trusted CA store on each authenticating endpoint that is performing PEAP. If it is not then the EAP tunnel creation would fail due to the client not trusting the ISE certificate.

I hope this helps!

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
0 Helpful

mohanak
Cisco Employee
Cisco Employee

‎02-18-2015 01:22 AM

If you have the eap settings set to "validate server certificate" then you must manually set it to trust the rootCA that signed the ISE certificate, or you can disable this option for testing.

Preview file
112 KB
0 Helpful

S. ANIL
Level 1
Level 1
In response to mohanak

‎02-18-2015 01:39 AM

Its selected in the working and non working laptops. Will this make difference?

How can i manually set it to trust the rootCA that signed the ISE certificate

 

0 Helpful

S. ANIL
Level 1
Level 1
In response to mohanak

‎02-18-2015 03:20 AM

The option has to be selected for security reason.

Yes its work when i disable it. I cant disable due to security reason

We have pussed the settings using GP 

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎02-18-2015 01:41 AM

Do you find this issue only on a particular  clients (type/OS?) . What is the suppliant being used.
Is the CA certificate in the current user store, local machine store, or both? Make sure cert is flagged for HTTPS use, verify expiry date, and is present on the PSN performing the auth

0 Helpful

S. ANIL
Level 1
Level 1
In response to Venkatesh Attuluri

‎02-18-2015 03:21 AM

Yes, we have only for few users. Windows7. We have controller for suppliant. 

CA certificate is in local machine. 

We will push all the settings using group policy 

0 Helpful
Customers Also Viewed These Support Documents