This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We are trying to implement certificate based authentication. ISE as radius server & Local CA for certificate push to clients. Now Windows laptops are able to authenticate successfully whereas Apple mac are not. In ISE we see error as "12521 EAP TLS failed SSL/TLS handshake after a client alert". Wondering with the same certificate windows is able to connect which says certificate chain is good (right?) but why MAC is not ? Based on error log i assume this is because of client (mac) is sending "close alert". Any help or suggestions how to get this resolved?
Solved! Go to Solution.
I've found that in order to get macs/iphones to authenticate with eap-tls, you have to push the root, intermediate, and the ISE EAP cert directly to the device with the network profile.
Thanks for the information. We are about to try that instead of pushing from airwatch..ISE has public CA certificate installed for EAP authentication and other reasons.. i will export the complete chain and import it onto mac to check.. i will update once this is tried..
Even if it works this way, i m worried how it is possible to do the same for rest of the org mac users..
Many thanks for sharing this information. Just for me to understand clearly, you are saying we need to manually push ISE EAP certificate chain either via MDM or directly onto mac? Even though if the mac already have those certificates through earlier authenticated sessions (earlier all were authenticating using PEAP to the same ISE, so it got ISE EAP chain certificates already which we could see on keychain) still, we need to remove them and install freshly to check? And while installing manually onto mac do we need to choose login or system root.. Thanks in advance
The way I understood about Apple configuration profile is to include certificates (an identity certificate and the root CA certificate of EAP server(s)) and a Wi-Fi payload. It's a unit on its own and separate from the key store.