cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15582
Views
0
Helpful
7
Replies

ISE 2.0 - Error | 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

hafiez_abn
Level 1
Level 1

Hi all, 

Inquiring about this problem as many user facing this problem without any modification to their machine/laptop.

During connect to the 802.1X wifi, windows popup error message " windows was unable to connect" 

After delete user cert from internet option and delete Wi-Fi for re provisioning purpose, it is still failed and get windows error.

On top of that tried to delete machine profile from ise endpoint identity for re provisioning the user'machine but ending with same windows error.

It's could be related to this bug ? 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux69800/?referring_site=bugquickviewclick

The environment using windows 7 and ise v2.0.1.130

and please share if your guys encounter the same problem and workaround for this problem. 

 

1 Accepted Solution

Accepted Solutions

1) Certificate can be checked under  Administrator >  System > Certificate > System identity 

Administrator > System > certificate > Trusted store.

2) Manual sync up under Administrator>Deployment> Deployment node.

Select a node and do manual sync up.

Regards

Gagan

View solution in original post

7 Replies 7

Gagandeep Singh
Cisco Employee
Cisco Employee

Hi,

If you have full certificate chain in installed on ISE and "Trust for authentication" option is chosen.

Also could you please confirm if wildcard certificate in use for ISE identity certificate.

Otherwise you can also try the 

Workaround:
perform a manual synchronization between the nodes in distributed deployment

Regards

Gagan

ps : rate if it helps!!!!

Hi Gagandep,

1. How to check the certification chain and wildcard cert in ISE?

2. Do you mean the manual syn menu is under Administrator>Deployment>Deployment Node?

1) Certificate can be checked under  Administrator >  System > Certificate > System identity 

Administrator > System > certificate > Trusted store.

2) Manual sync up under Administrator>Deployment> Deployment node.

Select a node and do manual sync up.

Regards

Gagan

hi Gagan,

I have checked :

1 . Trust for authorities is enable/tick for every certificate chain.

2.  Wildcard is not unable for this nodes

and aslo performed syn for secondary node

Does those step related to the error, hopefully you can explain cause I no idea why this error triggering. 

Generally this error comes there is a certificate mismatch b/w client and server. Also confirm that whether client has complete CA chain in trusted store for server.

In EAP-TLS, it's mutual authentication in terms of certificate exchange b/w client and server.

Both have to trust each other.

Hi we also have the same issue but no matter what I do I cant do a Manual synch  it seems to be Greyed out!  We did have another issue prior whereby the Context visibility page was not visible and I followed this link:-

https://supportforums.cisco.com/t5/cisco-bug-discussions/cscvd38251-unable-to-load-context-visibility-page/td-p/3067112

 

and enabled ' Cisco services' as its suggested this got rid of the Context visbility page error but we now have some clients not able to connect via Corporate wifi using EAP-TLS and our CA server issued certs!

 

Exactly same error message as start of this thread.....

 

Why can't I do a MANUAL synch if this fixes it!!  Please!!!

Screenshot_1.png