Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12306
Views
5
Helpful
20
Replies

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

kylerossd
Level 4
Level 4

‎08-14-2012 10:36 AM - edited ‎03-10-2019 07:25 PM

Hello,

Has anyone come across this error code before?  I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:

Error Code.png

I setup 7925 phones for EAP-TLS using MIC.  I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication".  A Certificate Profile is configured matching Common Name and is added to the Identity Sequence.    I got some additional attribute information, where there is a error message:

OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"

Other Attributes.png

Anyone know what this error means?

2 people had this problem
Labels:
0 Helpful
20 Replies 20

kianarbabifard
Level 1
Level 1
In response to Jatin Katyal

‎05-23-2013 07:18 AM

Hi Jatin Katyal,

yes, the ISE suppports SHA-256, but the Phones don't. That's why the log says "12815  Extracted TLS Alert message" and "The request sent by the client was syntactically incorrect" and "12521 EAP-TLS failed SSL/TLS handshake after a client alert".

FIPS mode is disabled anyway.

0 Helpful

kylerossd
Level 4
Level 4
In response to kianarbabifard

‎05-23-2013 07:24 AM

In my case the installed Cisco CA Root is Sha1 2048.  The phones have the same root and manufactoring certificates installed as well as the MIC.

0 Helpful

kianarbabifard
Level 1
Level 1
In response to kylerossd

‎05-23-2013 07:31 AM

yes, CiscoRootCA is fine.

But your ISE certificates must be SHA-1 as well.

0 Helpful

don.click1
Level 4
Level 4
In response to Jatin Katyal

‎05-24-2013 05:38 AM

Is the only way to support the SHA-256 is to be in FIPS mode? We currently do not use FIPS, but we do want to use SHA-256 for clients. As for our phones (7925;s), I may have the same issues.

0 Helpful

kianarbabifard
Level 1
Level 1
In response to don.click1

‎05-24-2013 05:58 AM

FIPS mode won't do anything useful, if you try to authenticate your 7925 using EAP-TLS.

Let me try to explain:

When using EAP-TLS, the client (7925 in this case) has to trust your authentication server ca (your ISE) and otherwise. To accomplish this, you install the CiscoRootCA and CiscoManufacturingCA on your ISE and install the ISE's root ca certificates on the phones. As soon as your ISE's root ca certificate (which you have to install on the phones) is based on SHA256 it won't work because the phones don't support any certificate basen on SHA256.

To conclude: The only way to authenticate your 7925 using EAP-TLS, you have to make sure your ISE certificates and the appropriate certificate chain is based on SHA1.

0 Helpful

Andrew Woolman
Level 1
Level 1

‎12-22-2015 03:27 PM

3 years later and I've run into this issue too. Cisco want us to just use a 2048bit CA cert with SHA-1 when really they should upgrade the firmware of the phone to support 4096 SHA-2

0 Helpful
Customers Also Viewed These Support Documents