ISE 1.4 not sending complete cert chain to client EAP-FAST Mach Auth

Eric Hansen · ‎06-08-2015

Hello, Ive opened a ticket with TAC and they reported this as a potential bug. I am curious if anyone has seen this or if there is a work around or things I can try.

I'm running ISE 1.4 in a distributed deployment(1 PriAdmin, 1PriMon, 4 PSN's), my client is win7 with the Anyconnect 4.1 client and I am trying to do Machine Authentication prior to user login with EAP-Chaining per the following TrustSec Document that was apparently updated in Feb 2015(although it looks identical to the one in 2011): http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-82_Deploy_EAP_Chaining.pdf

When the client tries to auth it prompts password over and over, the machine in ISE throws an error that says "12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate " And then the long winded:

"Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information."

TAC recommended running the AC client with extended logging and then exporting the dart package. In the Dart package there is a capture file of the problem. In the decode of that you can see that the ISE server is sending the ISE certificate, then the Digicert intermediary CA, but is not sending the Digicert root certificate.... hence invalidating the chain and causing machine auth to fail. The intermediate and root CA's are both installed on ISE as trusted.

I'm stuck, no idea how to proceed. Or wait an entirely unknown amount of time while development comes up with something(hopefully), show stopper for us.

any advice is greatly appreciated

Eric Hansen · ‎06-17-2015

So passing this along in case anyone runs into this same problem.

As I understand it, its a normal part of the TLS operation for the server to automatically send its certificate chain down to the client as part of the "server hello, certificate" packet. And at no point proceeding that packet is there a packet that goes from the client to the server requesting particular parts, the entirety, or none of the certificate chain, the client should have no control over the contents of the server hello packet(pls correct me if i am wrong) with respect to the chain. Or at least in this EAP-Fast/inner EAP-TLS use case.

So for reasons unknown to me, the ISE server was sending a partial cert chain. Myself, some VAR engineers, and TAC all saw this the same way... as a problem on ISE or even potentially as a bug.

In a moment of frustration, I wiped the test unit's operating system(win7), and let the device reconnect to ISE which pushed AC 4.1 back down to the test unit and the problem went away. Bearing in mind that all the evidence presenting in debug logs and the extended logging logs on AC4.1 pointed to a ISE server problem.

No idea how this problem was caused, which to me is just as frustrating. It also tells me that there are going to be N% of my clients that will have to have something done to their local OS's when this problem happens again, and it seems likely that it will happen again to some degree.

Moral of the story; always test will multiple units of the same type, and never give up on a problem.