Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1235
Views
10
Helpful
1
Replies

ISE 2.2 to ISE 2.7 - 802.1x Certificate Authentication

RaymondBrown1165
Level 1
Level 1

‎08-20-2020 07:49 AM

I have two standalone ISE appliances, one on ISE 2.2, the other on ISE 2.7 (Not in a cluster). I'm trying to replace my ISE 2.2 with the ISE 2.7 appliance.  They are both setup identically with 802.1x using Peap(EAP-TLS).  Both have certs issued from the same CA, both have the same root CA certificates installed that is also installed on my workstations.

 

The issue I'm having is when I try to cut-over one of my lan switches to the new ISE, my machines connected to that switch fail authentication with error "12511 Unexpectedly received TLS alert message; treating as a rejection by the client"

  

When I do a wireshark capture on my workstation it only says encrypted alert message after certificate exchange, so it doesn't give much info as to why but I can see the certificate exchange and ISE is sending the correct certificate/chain.

 

I was able to get one system to authenticate by switching the Windows supplicant from PEAP(EAP-TLS) to EAP-TLS.  It authenticated with EAP-TLS, then when I switched it back to PEAP(EAP-TLS) it authenticated correctly with PEAP(EAP-TLS).  

 

To me it seems like something is being cached on the workstation or switch that breaks the cert authentication. 

 

Is there something I need to do on the switch, ISE, or Workstation to do a switch-over like this?  

 

I've tried rebooting the workstation, restarting the wired auto config service, turning off server verification on the supplicant, defaulting the switchport the workstation was connected to.

 

Any suggestions would be appreciated

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎08-21-2020 10:58 PM

You may export the current profile with

netsh lan export profile folder=.

on a working and a non-working workstation or at different stages and compare the XML files.

Windows event logs might also give some clues. Under Windows Logs > Applications and Services > Microsoft > Windows, there are EapHost and Wired-AutoConfig.

Beyond these, you would likely need engaging Microsoft support to get some detailed debug logs and analyze.

Customers Also Viewed These Support Documents