Solved: EAP-TLS unsupported certificate

amhish@netfox.de · ‎07-27-2020

Hello,

We have a working deployment with EAP-TLS and windows 7 TLS1.0 for some time and we are upgrading to windows 10

We are using the Same root and Issuing CA for both machines(windows 7 and windows 10)

but Windows 10 machines are not working.

We are getting this error

12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

and to mention that windows 10 machines are using TLS1.2

I couldn't find on Cisco website any certificat requirments for TLS1.2 handshake.

Can someone please help?

what unsupported certificate even mean in this case?

amhish@netfox.de · ‎07-29-2020

for future Reference there was no problem with the Ciphers or TLS version.

it was indeed the certificate chain.

the intermediate certificate had a EKU "all purposes" in one of its EKU fields and the ISE simply does not accept that

and this expected behavior from the ISE.

View solution in original post

Arne Bier · ‎07-27-2020

I saw this once long time ago. Nothing to do with TLS version but with the cipher suite used. Normally RSA 2048 is found but the customer was using some proprietary Microsoft cypher that ISE didn’t like. Have a look at the ISE release notes Or install guide.

amhish@netfox.de · ‎07-29-2020

for future Reference there was no problem with the Ciphers or TLS version.

it was indeed the certificate chain.

the intermediate certificate had a EKU "all purposes" in one of its EKU fields and the ISE simply does not accept that

and this expected behavior from the ISE.