06-18-2022 12:30 AM
Hi Everyone,
I hope everyone is keeping well.
We are in the process of deploying EAP-TLS in a pilot phase with a mix of Mac OS and Win10 machines in our estate. Currently Win10 machines are working and being authenticated to the Corporate WLAN, but Mac OS machines (not domain joined) try to connect, we are getting 50/50 split of passed/failed authentications, no changes are being made to either ISE or the Mac (managed by JAMF).
Passed Auth - Event 5200 Authentication succeeded
Failed Auth - Event 5400 Authentication failed ( Failure Reason 12521 EAP-TLS failed SSL/TLS handshake after a client alert )
It looks like the Mac is not accepting the EAP-TLS handshake with ISE and failing with the following result in ISE logs:
12815 Extracted TLS Alert message
12521 EAP-TLS failed SSL/TLS handshake after a client alert
12507 EAP-TLS authentication failed
Can you see in ISE what certificate is being sent as part of the EAP-TLS request, or if anyone has managed to get Mac OS machine working using EAP-TLS? I have seen a couple of forum posts mentioning about creating a 2nd SSID for Mac's, but not sure if this then is keep going forward with you then managing 2x SSID's for Win & Mac OS machines.
Thanks for your assistance.
Regards,
James
06-18-2022 01:25 AM
- Check this thread : https://community.cisco.com/t5/network-access-control/eap-tls-issue/td-p/3545371
M.
06-18-2022 07:23 PM
Hi James
In ISE after the process of sucess AuthorZ you can see the serial number of certificate's template (when endpoint use TLS together with ISE). In mi experience, Mac work better with PEAP. You can add PEAP+Mac Address Internal (On ISE) to consolidate the access.
Regards, Ivan.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: