03-21-2024 06:32 AM
I recently swapped the certificate in use for EAP, RADIUS and Admin on our ISE deployment, signed using our internal CA. This was carried out approx 36 hours ago , application was restarted on both nodes and everything has been working fine up until now. Then suddenly all the network clients on our LAN started failing to authenticate using Dot1X / EAP-TLS this morning. I don't understand, is there some kind of delay in the new certificate becoming active, why fail 36 hours later!? As far as I can see there is nothing wrong with the new certificates and internal CA root and sub certificates are all well in date.
5400 Authentication failed
12508 EAP-TLS handshake failed
Has anybody hit something similar?
03-21-2024 06:46 AM - edited 03-21-2024 06:46 AM
i would cross check again certs are correct they are in certificate store and end user also have certs
also post complete log from ISE.
03-21-2024 07:29 AM
When you import a new cert on ISE and the services are restarted that cert is active and ready for use. If you are not hitting a bug the only thing comes to my mind would be related to any GPO policies that maybe have been pushed to the clients that changed the supplicant settings? or maybe you changed the security settings in ISE by removing some protocols that could be used by the clients such as TLS1.1 and SHA1? if not, I would raise this with Cisco TAC.
03-21-2024 07:37 AM
To troubleshoot EAP-TLS handshake failed you can perform packet capture on an authenticating client (as well as from the applicable PSN). Wireshark is quite good at showing you the steps in an EAP-TLS handshake and the error message in the decode usually pinpoints the failed parameter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide