07-30-2020 07:26 AM - edited 07-30-2020 07:26 AM
We have a rather robust policy set regarding 802.1x withcorporate Windows and OSX devices. We're currently using ISE 2.7(p2) and 2.4(p11). Our WLCs are 8540s running 8.5.161.
We're trying to provision some Androids as corporate devices (not BYOD), and I've generated a CSR and gotten a cert from our internal CA (AD), in a manner similar to that of all of our Windows and Apple Devices.
The best result thus far are repeated 5440 Endpoint abandoned EAP session messages. I've attempted using both PEAP and EAP-TLS, both of which we support.
I was hoping there was somebodyt out therer] who has run into a similar situation. Thanks!
07-30-2020 09:18 AM
Do your Android phones have the CA certificates in their trusted store to trust the ISE certificates used for EAP authentication? Sounds like the endpoints are stopping authenticating mid-process because they don't like the ISE certificate.
07-30-2020 10:50 AM - edited 07-31-2020 06:53 AM
I've updated this answer from yesterday.
Yes. Our CA chain consists of a root and an intermediate certificate. Both are present. Android has them in the User store, along with the device certificate. I could not fnd a way of putting them elsewhere.
I've also added the EAP cert from ISE. None of the Windows or Mac devices seem to need this cert. The EAP cert is self-signed.
In my mind, the CA store in Android parlance means "the certs we ship with the device". Everythig else would be go into User store.
In any case, if I use PEAP on the client, I select Phase 2 AuthC of MSCHAPv2, the CA cert (I can choose either the internal Root CA, the intermediate, or the ISE EAP cert.
I also enter in the identity, and an anonymous identity. I enter in the FQDN, the same that is entered on the device cert.
Now, with PEAP, I get a failure code of:
12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
If I use EAP-TLS, I'm asked to select a User Certificate, I have two options: 1) Please Select, and 2) Do Not Provide.
I'm not able to proceed with loggin in with option 1, as there is nothing to select. If I use option 2, I'm able to continue, and the outcome is:
11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed
As I've stated, we allow both PEAP and EAP-TLS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide