Hello,

I am trying to configure EAP-TLS authentication with AD certificates.

All ISE servers are joined to AD

I have the root certificate from the CA to Activie Directory installed on the ISE servers

I created the certificate authentication profile using the root certificate

I have PEAP\EAP-TLS enabled as my allowed protocol

I am getting the following error for authentication:

"11507  Extracted EAP-Response/Identity

12500  Prepared EAP-Request proposing EAP-TLS with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12301  Extracted EAP-Response/NAK requesting to use PEAP instead

12300  Prepared EAP-Request proposing PEAP with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318  Successfully negotiated PEAP version 0

12800  Extracted first TLS record; TLS handshake started

12805  Extracted TLS ClientHello message

12814  Prepared TLS Alert message

12817  TLS handshake failed

12309  PEAP handshake failed"

I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?

Any other issues I am missing?

Thanks,

Michael Wynston

Senior Solutions Architect

CCIE# 5449

Email: Michael.Wynston@eplus.com

Phone: (212)401-5059

Cell: (908)413-5813

AOL IM: cw2kman

E-Plus

http://www.eplus.com