Re: Cisco ISE Suddenly started rejecting dot1x EAP-TLS authentication

davemiddlewick · ‎03-21-2024

I recently swapped the certificate in use for EAP, RADIUS and Admin on our ISE deployment, signed using our internal CA. This was carried out approx 36 hours ago , application was restarted on both nodes and everything has been working fine up until now. Then suddenly all the network clients on our LAN started failing to authenticate using Dot1X / EAP-TLS this morning. I don't understand, is there some kind of delay in the new certificate becoming active, why fail 36 hours later!? As far as I can see there is nothing wrong with the new certificates and internal CA root and sub certificates are all well in date.

5400 Authentication failed

12508 EAP-TLS handshake failed

Has anybody hit something similar?

balaji.bandi · ‎03-21-2024

i would cross check again certs are correct they are in certificate store and end user also have certs

also post complete log from ISE.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎03-21-2024

When you import a new cert on ISE and the services are restarted that cert is active and ready for use. If you are not hitting a bug the only thing comes to my mind would be related to any GPO policies that maybe have been pushed to the clients that changed the supplicant settings? or maybe you changed the security settings in ISE by removing some protocols that could be used by the clients such as TLS1.1 and SHA1? if not, I would raise this with Cisco TAC.

Marvin Rhoads · ‎03-21-2024

To troubleshoot EAP-TLS handshake failed you can perform packet capture on an authenticating client (as well as from the applicable PSN). Wireshark is quite good at showing you the steps in an EAP-TLS handshake and the error message in the decode usually pinpoints the failed parameter.