02-27-2014 08:24 AM - edited 03-10-2019 09:28 PM
Hi everyone!
I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2 and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
If: Wireless_802.1X Allow Protocols: Default Network Access Use: RADIUS
Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate |
Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
Any help is appreciated, thanks in advance!
03-02-2014 11:19 PM
In the SSID properties, please uncheck "Validate server certificate"
03-03-2014 06:57 AM
Hi Saurav, thanks a lot for your response, excuse my ignorance but where exactly would that option be? I am checking in the WLAN section in WLC but can't find it, same within the ISE.
03-12-2014 10:34 PM
03-19-2014 05:04 PM
Ok so it's in the supplicant, doesn't that mean that it will do the EAP-TLS process without validating the certificate? neither in ISE or the external RADIUS Server?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide