Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
1
Helpful
3
Replies

Endpoint from another country - 12511 Unexpectedly received TLS alert

Jalmeida
Level 1
Level 1

‎11-05-2024 03:53 PM

Hello Guys,

 

Could you help me understand if this flow is correct:

Some employees came from another country and are reporting a problem with the Corporate connection.

The ISE log reports that the endpoint is not trusting the certificates that the ISE sends in the EAP process.

Our ISE does not validate machines, only users, and our rule does not validate certificates, it is PEAP/MSCHAPv2.

Since we were unable to find the employee from another country, we are thinking of downloading the trusted certificates from the ISE there and importing them in Trusted in our ISE so that at the time of connection the endpoint matches this certificate and connects.

Our idea is to use these certificates, since the endpoint already has them in its trusted CA root, but our ISE does not.

The question is, do I have to download the .cer file or if I download the ISE from another location and install the .pem format in trusted format in our ISE, will it work?

I'm really worried about following this flow and when the collaborators arrive, they complain that the problem still persists.

.cer or .pem, can they validate?

If it's .cer, it will take a while, but .pem is much faster.

 

0 Helpful
3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

‎11-05-2024 07:55 PM

Importing the remote country's ISE certificates into the local ISE certificate store will not solve the problem.

With PEAP, the client validates the EAP certificate presented by ISE. You would either need to deploy the CA trust chain that signed the ISE EAP certificate into the trust store of the visiting client endpoints, or disable the server certificate validation in the endpoint supplicant (which is not recommended).

0 Helpful

Jalmeida
Level 1
Level 1
In response to Greg Gibbs

‎11-05-2024 11:21 PM

Hello @Greg Gibbs 

Thaks for update.

The issue is that they are random customers who come from another country.

I am trying to follow the guidelines in this documentation.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html

 

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to Jalmeida

‎11-06-2024 01:10 PM

An ISE PSN can only have a single EAP certificate installed, which is presented to the client for 802.1x. If the client is configured to require trusting the server certificate (which is recommended) for PEAP, then the trust chain that signed the ISE EAP certificate must be installed in the client trust store and the client supplicant would have to be configured to trust it.

If you have no management or control over the visiting customer endpoints, this would be nearly impossible to accommodate. You would be better off providing basic internet access (like Wireless Guest or BYOD) and letting them connect to necessary corporate assets via VPN or other means.

Customers Also Viewed These Support Documents