01-14-2013 12:39 PM - last edited on 03-25-2019 05:29 PM by ciscomoderator
Hello,
I am trying to configure EAP-TLS authentication with AD certificates.
All ISE servers are joined to AD
I have the root certificate from the CA to Activie Directory installed on the ISE servers
I created the certificate authentication profile using the root certificate
I have PEAP\EAP-TLS enabled as my allowed protocol
I am getting the following error for authentication:
"11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12814 Prepared TLS Alert message
12817 TLS handshake failed
12309 PEAP handshake failed"
I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
Any other issues I am missing?
Thanks,
Michael Wynston
Senior Solutions Architect
CCIE# 5449
Email: Michael.Wynston@eplus.com
Phone: (212)401-5059
Cell: (908)413-5813
AOL IM: cw2kman
E-Plus
01-14-2013 06:43 PM
Hi,
I would be best to have the ISE certs signed by the CA. However for testing purposes you can uncheck the validate server certificate settings to keep your testing progressing.
Thanks,
Tarik Admani
*Please rate helpful posts*
05-08-2013 06:00 PM
Please review the below link which might be helpful :
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide