Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3029
Views
0
Helpful
2
Replies

ISE, Android 9 and 802.1x

fitzie
Level 1
Level 1

‎07-30-2020 07:26 AM - edited ‎07-30-2020 07:26 AM

We have a rather robust policy set regarding 802.1x withcorporate Windows and OSX devices.  We're currently using ISE 2.7(p2) and 2.4(p11).  Our WLCs are 8540s running 8.5.161.

 

We're trying to provision some Androids as corporate devices (not BYOD), and I've generated a CSR and gotten a cert from our internal CA (AD), in a manner similar to that of all of our Windows and Apple Devices.

The best result thus far are repeated 5440 Endpoint abandoned EAP session messages.  I've attempted using both PEAP and EAP-TLS, both of which we support.

I was hoping there was somebodyt out therer] who has run into a similar situation.  Thanks!

0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎07-30-2020 09:18 AM

Do your Android phones have the CA certificates in their trusted store to trust the ISE certificates used for EAP authentication?  Sounds like the endpoints are stopping authenticating mid-process because they don't like the ISE certificate.

0 Helpful

fitzie
Level 1
Level 1
In response to Colby LeMaire

‎07-30-2020 10:50 AM - edited ‎07-31-2020 06:53 AM

I've updated this answer from yesterday. 

 

Yes.  Our CA chain consists of a root and an intermediate certificate.  Both are present.  Android has them in the User store, along with the device certificate.  I could not fnd a way of putting them elsewhere.

 

I've also added the EAP cert from ISE.  None of the Windows or Mac devices seem to need this cert.  The EAP cert is self-signed.

In my mind, the CA store in Android parlance means "the certs we ship with the device".  Everythig else would be go into User store.

 

In any case, if I use PEAP on the client, I select Phase 2 AuthC of MSCHAPv2, the CA cert (I can choose either the internal Root CA, the intermediate, or the ISE EAP cert.  

 

I also enter in the identity, and an anonymous identity.  I enter in the FQDN, the same that is entered on the device cert.

 

Now, with PEAP, I get a failure code of:

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

If I use EAP-TLS, I'm asked to select a User Certificate, I have two options:  1) Please Select, and 2) Do Not Provide.

I'm not able to proceed with loggin in with option 1, as there is nothing to select.  If I use option 2, I'm able to continue, and the outcome is:

11510 Supplicant declined EAP method selected by Authentication Policy but did not propose another one; EAP negotiation failed

As I've stated, we allow both PEAP and EAP-TLS.

0 Helpful
Customers Also Viewed These Support Documents