08-01-2012 03:04 AM - edited 03-10-2019 07:22 PM
Hi
We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
EAP-TLS is enabled in the 'Default Network Access' authentication result.
Can anyone shine a light on where I'm going wrong?
Thanks
Martin
Solved! Go to Solution.
08-13-2012 09:06 AM
Yes that is correct, the certificate that is being presented to ISE doesnt include the identity of the client, that is the reason the attempt fails.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-01-2012 03:48 AM
You need to define a certificate authentication profile and then select this as the result (Identity Source) in the authentication policy
You can create a certicate authentication profile at: Administration->Identity management->External Identity Sources->Certificate Authentication Profile
There error you are seeing occurs when trying to "authenticate" the request based on a clinet certifcate but result is an identity store (AD, LDAP etc)
04-22-2013 03:40 PM
Hi
If I only want to install the certificate manually on the user device does I still need a SCEP server?
Thanks,
Regards,
08-19-2019 01:09 AM
08-01-2012 03:49 AM
Martin,
If you go the authentication policy page and expand your rules you can choose the result to be certificate authentication profile that you created.
If you have a mixture of peap or other password based methods, your best option is to create an identity sequence store. This allows you to use a certificate authentication profile along with a list of databases for password based authentication also. One you create this rule, go back to authentication policies and set this as the result and you should be good to go.
Thanks,
Tarik
Sent from Cisco Technical Support iPad App
08-06-2012 08:32 AM
Thanks for your help so far Tarik and jrabinow I'm no longer getting that message, instead I'm getting the following message when I try to connect:
12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain
We're using MS certificate services, the ipad has the root CA certificate and the active ca services server certificate as well as the user certificate. The ISE has a certificate generated on the active cert services server and also has the root CA certificate in it's certificate store.
All the certificates seem to be valid back to the root CA certificate.
Any ideas?
Thanks
Martin
08-06-2012 08:47 AM
Martin,
Do you have any intermediate certificates? If so, then you will have to import those in to the ISE certificate trusted certificate store, and you will have to select the checkbox "Trust for client with eap-tls"
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html#wp1053515
Thanks,
Tarik Admani
*Please rate helpful posts*
08-07-2012 12:37 AM
We've got 1.1 so the options are a bit different but I've installed the root certificate and the ca server certificate on ISE in the certificate store and 'Trust for client authentication' is enabled.
There is a sub-option 'Enable Validation of Certificate Extensions (accept only valid certificate)' that I enabled when I installed the certificate but when I look at it now it's greyed out.
In addition the primary and secondary ISE certificates also has the trust option enabled.
Thanks
Martin
08-07-2012 12:41 AM
Can you post a screeshot of the certificate that is installed on the Ipad? Also post a screenshot of the certificate on ISE. I would like to see the serial numbers of the root to see if they are identical.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-07-2012 02:02 AM
08-07-2012 03:39 AM
Thanks Martin,
Can you get me the screenshot of the root certificate that is installed on the ipad, along with another screenshot of the user certificate (I will like to see the "issued to" and "issued by" attributes)
Thanks,
Tarik Admani
*Please rate helpful posts*
08-07-2012 05:40 AM
08-07-2012 10:03 AM
Martin,
There seems to be an intermediate certificate or you have the wrong root certificate imported into the ISE. Can you click on the certificate path (top right tab). Take a look at the "issued by" field in the usercert.png and then look at the name of the root certs that you attached. The signer of your user cert is NHSG-CS-01, the root cert on the ISE node is NHSG-CS-ROOT.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-08-2012 01:05 AM
Tarik
NHSG-CS-01 is the active CS server that issued the certificate, NHSG-CS-ROOT is off at the recommendation of a microsoft employee when she helped our server team setup CS an so can't issue certificates.
The NHSG-CS-01 certificate is on both the iPad and ISE and on the ISE it's enabled for authentication.
Thanks
08-08-2012 05:44 AM
Tarik
So I removed NHSG-CS-ROOT from both the iPad profile and the ISE certificate store leaving the ipad with only the personal certificate and the NHSG-CS-01 certificate.
The ISE certificate store now has with both primary and secondary ISE certificates and the NHSG-CS-01 certificate.
For the two ISE certificates I've unchecked the 'Trust for client authentication' check boxes so the only certificate in the certificate store that has that check box checked is NHSG-CS-01.
Authentication is still failing with the same message about the unsupported certificate.
Interestingly each time I appy the policy to the ipad and try to connect wirelessly it prompts to accept the primary ISE certificate that was issued by NHSG-CS-01, that shouldn't be happening should it?
Thanks
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide