cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

673
Views
0
Helpful
2
Replies
Highlighted

EAP-TLS unsupported certificate

Hello,

 

We have a working deployment with EAP-TLS and windows 7 TLS1.0 for some time and we are upgrading to windows 10 

 

We are using the Same root and Issuing CA for both machines(windows 7 and windows 10)

but Windows 10 machines are not working.

We are getting this error

 

12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

 

and to mention that windows 10 machines are using TLS1.2

 

I couldn't find on Cisco website any certificat requirments for TLS1.2 handshake.

Can someone please help?

what unsupported certificate even mean in this case?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

for future Reference there was no problem with the Ciphers or TLS version.

it was indeed the certificate chain.

the intermediate certificate had a EKU "all purposes" in one of its EKU fields and the ISE simply does not accept that

and this expected behavior from the ISE.

 

View solution in original post

2 REPLIES 2
Highlighted
VIP Advisor

I saw this once long time ago. Nothing to do with TLS version but with the cipher suite used. Normally RSA 2048 is found but the customer was using some proprietary Microsoft cypher that ISE didn’t like. Have a look at the ISE release notes Or install guide. 

Highlighted

for future Reference there was no problem with the Ciphers or TLS version.

it was indeed the certificate chain.

the intermediate certificate had a EKU "all purposes" in one of its EKU fields and the ISE simply does not accept that

and this expected behavior from the ISE.

 

View solution in original post