Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3818
Views
0
Helpful
8
Replies

ISE CA Certificate renew

adamgibs7
Level 6
Level 6

‎10-11-2017 02:00 PM - edited ‎02-21-2020 10:35 AM

Dears,

 

All was working good I renewed my ISE certificate with Digicert and my BYOD stopped working, i get an below error from the windows machine.i have a trusted root certificate of digicert  in the ISE and my CN name are proper for the certificate also in the PC's i have digi cert root certificate ,, where things are going wrong, can anybody help me

 

Here is the error,

 

Event: 5400 Authentication failed

Failure Reason: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client

Resolution: Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Root cause: While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Arne Bier
VIP
VIP

‎10-11-2017 05:28 PM

Just out of curiosity, are you using any load balancers?  I had a case where we replaced the certs on the PSN's but because our F5 load balancers were doing SSL bridging (i.e. F5 presents the certificate to the client on behalf of the PSN), the client still got the old cert.  After installing the same new cert on the F5 all was well.

Have a close look at the certificate that the server is presenting - is it the one you just newly installed?

Did you install the cert on all our your PSN's that serve that BYOD portal?

0 Helpful

adamgibs7
Level 6
Level 6
In response to Arne Bier

‎10-11-2017 09:20 PM

Dear arne,

No we are not using F5, the certificate are signed by the digicert and they are installed in the system certificates so client should get the new certificate when he is connecting to the BYOD.

 

Did you install the cert on all our your PSN's that serve that BYOD portal?

yes did,

 

Have a close look at the certificate that the server is presenting - is it the one you just newly installed?

 

How we can see it is getting the new or the old, i will check whether i get the download option while connecting to the machine.

 

 

thanks

0 Helpful

ajc
Level 7
Level 7
In response to Arne Bier

‎10-13-2017 12:25 PM

I am getting the exact same error code, no certificate changes, using F5 following cisco implementation guide with the SSL= pass-through.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎10-11-2017 06:43 PM

Are you using the Windows supplicant? If you have a Wireless profile created for secure Auth, you might want to check what certs do you trust when you want to validate server certs. If your CA certificate has not changed, then this should be the same. But if you have moved from one CA to another or if the CA has changed their root certs, this could be a problem. 

0 Helpful

adamgibs7
Level 6
Level 6
In response to Rahul Govindan

‎10-11-2017 09:52 PM - edited ‎10-11-2017 09:53 PM

Dear

the attached was used from start.

 

I didnt installed the certificate instead my colleague do we have to click the client authentication check when we install the certificate

Preview file
29 KB
0 Helpful

Arne Bier
VIP
VIP
In response to adamgibs7

‎10-12-2017 05:27 PM

In your initial post you mentioned DigiCert.  But in the screen capture you just provided it looks like you are using the internal ISE CA to issue certs for clients (BYOD?).  What's the deal?  I don't belive that ISE can masquerade as a DigiCert CA and issue certs on its behalf.  So have a look at the ISE CA Root cert and make sure that cert is still valid.  ANd it's that cert that needs to be on your end devices. 

Not sure what DigiCert has to do with this.  Normally only used on portals where anonymous (i.e. non-corporate assets) will authenticate, and those devices will have the Root CA cert for DigiCert to trust ISE.

 

0 Helpful

adamgibs7
Level 6
Level 6
In response to Arne Bier

‎10-13-2017 07:45 AM

Dear

It is a Digi cert signed , the attachment which shown in the previous post is for the client provisioning, and it was from the start and it was working perfect the cert renewal has been done 1 week before,

 

ISE cert is signed by the Digicert and the Digi cert  certificate is already in the trusted root certificate of the client PC , Digi cert also have provided to me the intermediate certifiacate do i have to add those as well in the client computers for example when i open the certicate it show me the tree DigiCert>DigiCert-SHA-256 >ISE.xyz.com, so the intermediate DigiCert-SHA-256 also has to be added in the client computers.

 

thanks

0 Helpful

niketan sutar
Level 1
Level 1

‎02-13-2019 01:45 AM

Have you tied deleting the old certificate from the system and re-connecting to BYOD. This will provision the new certificate. If it works post that, chances are there is something that has changed in the Old Digicert and the new Digi cert. If you were using a different cert prior to Digi cert, then in order for BYOD to work you will need to ensure that the new certificate is provisioned via the portal.

0 Helpful
Customers Also Viewed These Support Documents