Solved: Re: ISE 2.4 EAP-TLS: Certificate for Admin or Portal use must contain server authc in EKU

KelvinT · ‎12-20-2019

Hi,

When I try to Bind ISE cert after receiving response from CA server I get the following error.

"Certificate for Admin or POrtal use must contain server authentication in the Extended Key Usage (EKU) certificate."

Any idea?

Also When I attempt to authc a win10 with Anyconnect it fail with the following error on ISE:

Client rejected ISE local cert. or something like that.

1- Both client and ISE trust the AD CA

2- Both ISE and client got their certs from the AD CA

Any idea?

Colby LeMaire · ‎12-20-2019

You need to have the CA administrator modify the certificate template to use one that allows for Server Authentication when issuing the ISE Admin certificate. Typically a Web Server template will have the same usages as what ISE needs. That may also cause the client to reject the certificate from ISE as well.

View solution in original post

KelvinT · ‎12-24-2019

That was it! The CA server had all sorts of issues but once that was fixed we were able to create a duplicate web server template.

Thanks!

View solution in original post

Colby LeMaire · ‎12-20-2019

You need to have the CA administrator modify the certificate template to use one that allows for Server Authentication when issuing the ISE Admin certificate. Typically a Web Server template will have the same usages as what ISE needs. That may also cause the client to reject the certificate from ISE as well.

KelvinT · ‎12-24-2019

That was it! The CA server had all sorts of issues but once that was fixed we were able to create a duplicate web server template.

Thanks!