We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (22.214.171.124) I'm getting an error.
I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
EAP-TLS is enabled in the 'Default Network Access' authentication result.
Can anyone shine a light on where I'm going wrong?
Solved! Go to Solution.
You need to define a certificate authentication profile and then select this as the result (Identity Source) in the authentication policy
You can create a certicate authentication profile at: Administration->Identity management->External Identity Sources->Certificate Authentication Profile
There error you are seeing occurs when trying to "authenticate" the request based on a clinet certifcate but result is an identity store (AD, LDAP etc)
If you go the authentication policy page and expand your rules you can choose the result to be certificate authentication profile that you created.
If you have a mixture of peap or other password based methods, your best option is to create an identity sequence store. This allows you to use a certificate authentication profile along with a list of databases for password based authentication also. One you create this rule, go back to authentication policies and set this as the result and you should be good to go.
Sent from Cisco Technical Support iPad App
Thanks for your help so far Tarik and jrabinow I'm no longer getting that message, instead I'm getting the following message when I try to connect:
12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain
We're using MS certificate services, the ipad has the root CA certificate and the active ca services server certificate as well as the user certificate. The ISE has a certificate generated on the active cert services server and also has the root CA certificate in it's certificate store.
All the certificates seem to be valid back to the root CA certificate.
Do you have any intermediate certificates? If so, then you will have to import those in to the ISE certificate trusted certificate store, and you will have to select the checkbox "Trust for client with eap-tls"
*Please rate helpful posts*
We've got 1.1 so the options are a bit different but I've installed the root certificate and the ca server certificate on ISE in the certificate store and 'Trust for client authentication' is enabled.
There is a sub-option 'Enable Validation of Certificate Extensions (accept only valid certificate)' that I enabled when I installed the certificate but when I look at it now it's greyed out.
In addition the primary and secondary ISE certificates also has the trust option enabled.
There seems to be an intermediate certificate or you have the wrong root certificate imported into the ISE. Can you click on the certificate path (top right tab). Take a look at the "issued by" field in the usercert.png and then look at the name of the root certs that you attached. The signer of your user cert is NHSG-CS-01, the root cert on the ISE node is NHSG-CS-ROOT.
*Please rate helpful posts*
NHSG-CS-01 is the active CS server that issued the certificate, NHSG-CS-ROOT is off at the recommendation of a microsoft employee when she helped our server team setup CS an so can't issue certificates.
The NHSG-CS-01 certificate is on both the iPad and ISE and on the ISE it's enabled for authentication.
So I removed NHSG-CS-ROOT from both the iPad profile and the ISE certificate store leaving the ipad with only the personal certificate and the NHSG-CS-01 certificate.
The ISE certificate store now has with both primary and secondary ISE certificates and the NHSG-CS-01 certificate.
For the two ISE certificates I've unchecked the 'Trust for client authentication' check boxes so the only certificate in the certificate store that has that check box checked is NHSG-CS-01.
Authentication is still failing with the same message about the unsupported certificate.
Interestingly each time I appy the policy to the ipad and try to connect wirelessly it prompts to accept the primary ISE certificate that was issued by NHSG-CS-01, that shouldn't be happening should it?