Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13123
Views
0
Helpful
6
Replies

ISE 2.0 - Error | 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

Go to solution
hafiez_abn
Level 1
Level 1

‎12-13-2016 07:32 PM - edited ‎03-11-2019 12:17 AM

Hi all, 

Inquiring about this problem as many user facing this problem without any modification to their machine/laptop.

During connect to the 802.1X wifi, windows popup error message " windows was unable to connect" 

After delete user cert from internet option and delete Wi-Fi for re provisioning purpose, it is still failed and get windows error.

On top of that tried to delete machine profile from ise endpoint identity for re provisioning the user'machine but ending with same windows error.

It's could be related to this bug ? 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux69800/?referring_site=bugquickviewclick

The environment using windows 7 and ise v2.0.1.130

and please share if your guys encounter the same problem and workaround for this problem. 

 

1 person had this problem
Labels:
Preview file
200 KB
Preview file
146 KB
Preview file
132 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to hafiez_abn

‎12-15-2016 01:03 AM

1) Certificate can be checked under  Administrator >  System > Certificate > System identity 

Administrator > System > certificate > Trusted store.

2) Manual sync up under Administrator>Deployment> Deployment node.

Select a node and do manual sync up.

Regards

Gagan

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎12-14-2016 12:46 AM

Hi,

If you have full certificate chain in installed on ISE and "Trust for authentication" option is chosen.

Also could you please confirm if wildcard certificate in use for ISE identity certificate.

Otherwise you can also try the 

Workaround:
perform a manual synchronization between the nodes in distributed deployment

Regards

Gagan

ps : rate if it helps!!!!

0 Helpful

Go to solution
hafiez_abn
Level 1
Level 1
In response to Gagandeep Singh

‎12-14-2016 11:55 PM

Hi Gagandep,

1. How to check the certification chain and wildcard cert in ISE?

2. Do you mean the manual syn menu is under Administrator>Deployment>Deployment Node?

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to hafiez_abn

‎12-15-2016 01:03 AM

1) Certificate can be checked under  Administrator >  System > Certificate > System identity 

Administrator > System > certificate > Trusted store.

2) Manual sync up under Administrator>Deployment> Deployment node.

Select a node and do manual sync up.

Regards

Gagan

0 Helpful

Go to solution
hafiez_abn
Level 1
Level 1
In response to Gagandeep Singh

‎12-16-2016 09:25 AM

hi Gagan,

I have checked :

1 . Trust for authorities is enable/tick for every certificate chain.

2.  Wildcard is not unable for this nodes

and aslo performed syn for secondary node

Does those step related to the error, hopefully you can explain cause I no idea why this error triggering. 

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to hafiez_abn

‎12-16-2016 10:52 AM

Generally this error comes there is a certificate mismatch b/w client and server. Also confirm that whether client has complete CA chain in trusted store for server.

In EAP-TLS, it's mutual authentication in terms of certificate exchange b/w client and server.

Both have to trust each other.

0 Helpful

Go to solution
EMR.Networks
Level 1
Level 1
In response to Gagandeep Singh

‎09-26-2017 05:12 AM

Hi we also have the same issue but no matter what I do I cant do a Manual synch  it seems to be Greyed out!  We did have another issue prior whereby the Context visibility page was not visible and I followed this link:-

https://supportforums.cisco.com/t5/cisco-bug-discussions/cscvd38251-unable-to-load-context-visibility-page/td-p/3067112

 

and enabled ' Cisco services' as its suggested this got rid of the Context visbility page error but we now have some clients not able to connect via Corporate wifi using EAP-TLS and our CA server issued certs!

 

Exactly same error message as start of this thread.....

 

Why can't I do a MANUAL synch if this fixes it!!  Please!!!

0 Helpful
Customers Also Viewed These Support Documents