cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
65616
Views
15
Helpful
28
Replies

ISE and EAP-TLS

M. Wisely
Level 4
Level 4

Hi

We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.

22045  Identity policy result is configured for password based authentication  methods but received certificate based authentication request

I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.

EAP-TLS is enabled in  the 'Default Network Access' authentication result.

Can anyone shine a light on where I'm going wrong?

Thanks

Martin

1 Accepted Solution

Accepted Solutions

Yes that is correct, the certificate that is being presented to ISE doesnt include the identity of the client, that is the reason the attempt fails.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

28 Replies 28

jrabinow
Level 7
Level 7

You need to define a certificate authentication profile and then select this as the result (Identity Source) in the authentication policy

You can create a certicate authentication profile at: Administration->Identity management->External Identity Sources->Certificate Authentication Profile

There error you are seeing occurs when trying to "authenticate" the request based on a clinet certifcate but result is an identity store (AD, LDAP etc)

Hi

If I only want to install the certificate manually on the user device does I still need a SCEP server?

Thanks,

Regards,

dude, thanks so much.

Tarik Admani
VIP Alumni
VIP Alumni

Martin,

If you go the authentication policy page and expand your rules you can choose the result to be certificate authentication profile that you created.

If you have a mixture of peap or other password based methods, your best option is to create an identity sequence store. This allows you to use a certificate authentication profile along with a list of databases for password based authentication also. One you create this rule, go back to authentication policies and set this as the result and you should be good to go.

Thanks,

Tarik

Sent from Cisco Technical Support iPad App

Thanks for your help so far Tarik and jrabinow I'm no longer getting that message, instead I'm getting the following message when I try to connect:

12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

We're using MS certificate services, the ipad has the root CA certificate and the active ca services server certificate as well as the user certificate. The ISE has a certificate generated on the active cert services server  and also has the root CA certificate in it's certificate store.

All the certificates seem to be valid back to the root CA certificate.

Any ideas?

Thanks

Martin

Martin,

Do you have any intermediate certificates? If so, then you will have to import those in to the ISE certificate trusted certificate store, and you will have to select the checkbox "Trust for client with eap-tls"

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html#wp1053515

Thanks,

Tarik Admani
*Please rate helpful posts*

We've got 1.1 so the options are a bit different but I've installed the root certificate and the ca server certificate on ISE in the certificate store and 'Trust for client authentication' is enabled.

There is a sub-option 'Enable Validation of Certificate Extensions (accept only valid certificate)' that I enabled when I installed the certificate but when I look at it now it's greyed out.

In addition the primary and secondary ISE certificates also has the trust option enabled.

Thanks

Martin

Can you post a screeshot of the certificate that is installed on the Ipad? Also post a screenshot of the certificate on ISE. I would like to see the serial numbers of the root to see if they are identical.

Thanks,

Tarik Admani
*Please rate helpful posts*

Screenshots attached

Thanks

Martin

Thanks Martin,

Can you get me the screenshot of the root certificate that is installed on the ipad, along with another screenshot of the user certificate (I will like to see the "issued to" and "issued by" attributes)

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik

The root certificate on the iPad is the same as the root certificate on the ISE, see the attached images.

Thanks

Martin

Martin,

There seems to be an intermediate certificate or you have the wrong root certificate imported into the ISE. Can you click on the certificate path (top right tab). Take a look at the "issued by" field in the usercert.png and then look at the name of the root certs that you attached. The signer of your user cert is NHSG-CS-01, the root cert on the ISE node is NHSG-CS-ROOT.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik

NHSG-CS-01 is the active CS server that issued the certificate, NHSG-CS-ROOT is off at the recommendation of a microsoft employee when she helped our server team setup CS an so can't issue certificates.

The NHSG-CS-01 certificate is on both the iPad and ISE and on the ISE it's enabled for authentication.

Thanks

Tarik

So I removed NHSG-CS-ROOT from both the iPad profile and the ISE certificate store leaving the ipad with only the personal certificate and the NHSG-CS-01 certificate.

The ISE certificate store now has with both primary and secondary ISE certificates and the NHSG-CS-01 certificate.

For the two ISE certificates I've unchecked the 'Trust for client authentication' check boxes so the only certificate in the certificate store that has that check box checked is NHSG-CS-01.

Authentication is still failing with the same message about the unsupported certificate.

Interestingly each time I appy the policy to the ipad and try to connect wirelessly it prompts to accept the primary ISE certificate that was issued by NHSG-CS-01, that shouldn't be happening should it?

Thanks

Martin