Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5459
Views
15
Helpful
5
Replies

EAP TLS - Apple mac is not authenticating

Go to solution
Wifi_Eshwar92
Level 1
Level 1

‎08-17-2020 02:10 AM

Hi All,

We are trying to implement certificate based authentication. ISE as radius server & Local CA for certificate push to clients. Now Windows laptops are able to authenticate successfully whereas Apple mac are not. In ISE we see error as "12521 EAP TLS failed SSL/TLS handshake after a client alert". Wondering with the same certificate windows is able to connect which says certificate chain is good (right?) but why MAC is not ? Based on error log i assume this is because of client (mac) is sending "close alert". Any help or suggestions how to get this resolved?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Wifi_Eshwar92

‎08-17-2020 01:05 PM

All of my customers push their ISE certificates, root/intermediate/eap, via airwatch as part of the network profile. So it's certainly possible with airwatch/workspace one profiles. Public or private CA, I've found it makes no difference.

View solution in original post

5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-17-2020 07:09 AM

I've found that in order to get macs/iphones to authenticate with eap-tls, you have to push the root, intermediate, and the ISE EAP cert directly to the device with the network profile.  

Go to solution
Wifi_Eshwar92
Level 1
Level 1
In response to Damien Miller

‎08-17-2020 12:32 PM - edited ‎08-17-2020 12:34 PM

Thanks for the information. We are about to try that instead of pushing from airwatch..ISE has public CA certificate installed for EAP authentication and other reasons.. i will export the complete chain and import it onto mac to check.. i will update once this is tried.. 

Even if it works this way, i m worried how it is possible to do the same for rest of the org mac users.. 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Wifi_Eshwar92

‎08-17-2020 01:05 PM

All of my customers push their ISE certificates, root/intermediate/eap, via airwatch as part of the network profile. So it's certainly possible with airwatch/workspace one profiles. Public or private CA, I've found it makes no difference.

Go to solution
Wifi_Eshwar92
Level 1
Level 1
In response to Damien Miller

‎08-18-2020 02:13 AM

Many thanks for sharing this information. Just for me to understand clearly, you are saying we need to manually push ISE EAP certificate chain either via MDM or directly onto mac? Even though if the mac already have those certificates through earlier authenticated sessions (earlier all were authenticating using PEAP to the same ISE, so it got ISE EAP chain certificates already which we could see on keychain) still, we need to remove them and install freshly to check? And while installing manually onto mac do we need to choose login or system root.. Thanks in advance

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Wifi_Eshwar92

‎08-19-2020 06:36 PM

The way I understood about Apple configuration profile is to include certificates (an identity certificate and the root CA certificate of EAP server(s)) and a Wi-Fi payload. It's a unit on its own and separate from the key store.

Customers Also Viewed These Support Documents