cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1282
Views
0
Helpful
2
Replies
Highlighted
Beginner

ISE, Android 9 and 802.1x

We have a rather robust policy set regarding 802.1x withcorporate Windows and OSX devices.  We're currently using ISE 2.7(p2) and 2.4(p11).  Our WLCs are 8540s running 8.5.161.

 

We're trying to provision some Androids as corporate devices (not BYOD), and I've generated a CSR and gotten a cert from our internal CA (AD), in a manner similar to that of all of our Windows and Apple Devices.

The best result thus far are repeated 5440 Endpoint abandoned EAP session messages.  I've attempted using both PEAP and EAP-TLS, both of which we support.

I was hoping there was somebodyt out therer] who has run into a similar situation.  Thanks!

2 REPLIES 2
Highlighted
VIP Collaborator

Do your Android phones have the CA certificates in their trusted store to trust the ISE certificates used for EAP authentication?  Sounds like the endpoints are stopping authenticating mid-process because they don't like the ISE certificate.

Highlighted

I've updated this answer from yesterday. 

 

Yes.  Our CA chain consists of a root and an intermediate certificate.  Both are present.  Android has them in the User store, along with the device certificate.  I could not fnd a way of putting them elsewhere.

 

I've also added the EAP cert from ISE.  None of the Windows or Mac devices seem to need this cert.  The EAP cert is self-signed.

In my mind, the CA store in Android parlance means "the certs we ship with the device".  Everythig else would be go into User store.

 

In any case, if I use PEAP on the client, I select Phase 2 AuthC of MSCHAPv2, the CA cert (I can choose either the internal Root CA, the intermediate, or the ISE EAP cert.  

 

I also enter in the identity, and an anonymous identity.  I enter in the FQDN, the same that is entered on the device cert.

 

Now, with PEAP, I get a failure code of:

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

If I use EAP-TLS, I'm asked to select a User Certificate, I have two options:  1) Please Select, and 2) Do Not Provide.

I'm not able to proceed with loggin in with option 1, as there is nothing to select.  If I use option 2, I'm able to continue, and the outcome is:

11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed

As I've stated, we allow both PEAP and EAP-TLS.

Content for Community-Ad