Solved: ISE Certificate Chain Not Trusted By WLAN Clients

jeverard · ‎04-18-2013

We are running ISE 1.1.3 using Entrust cert signed by Entrust sub CA L1C, which is signed by Entrust.net 2048, which is in all major OS stores as trusted (Windows, Android, iOS).

We have installed a concatenated PEM file with all of the certificates from the chain, as described in the ISE User Guides. The ISE GUI shows all of the certs in the chain individually after the import (i.e. the chain works and is good). However, we are not sure if the ISE is sending the entire chain to the WLAN clients during EAP authentication or just the ISE cert because of the error message we get on ALL client types which state that the certifiicate is not trusted.

So the question is if the ISE is really sending the whole chain or just its own cert with out the rest of the certs in the chain (which would explain why the WLAN clients complain about the certificate trust.)

Anyone out there know if the ISE code is not up to sending the cert chain in version 1.1.3 yet or if there is some other explanation? Screenshot attached of iPhone prompting for cert verification.

hardiklodhia · ‎04-29-2013

Hi,

I am having same issue with ISE 1.1.1 and I have discussed this thing with Cisco (ISE Expert) and he suggested that best practice is to use device certifiacte alone and then upload intermediate root certificate and root certificate to the ISE certificate store. The ISE will send entire certificate chain - device>intermediate>root. But there is known issue with Apple iOS that even when the signing root is already trusted, it will ALWAYS prompt for certificate to be accepted. When I am using Windows, it works fine that mean ISE is sending entire chain. For Windows, you need to explicitly trust CA under wireless profile properties>Security>Micrsoft PEAP>Settings>Validate server certificate and select your CA server.

I am still finding out why iOS not accepting the chain and there is some related discussion on apple support forum. I will update you on this.

Hope this helps.

View solution in original post

hardiklodhia · ‎04-29-2013

Hi,

I am having same issue with ISE 1.1.1 and I have discussed this thing with Cisco (ISE Expert) and he suggested that best practice is to use device certifiacte alone and then upload intermediate root certificate and root certificate to the ISE certificate store. The ISE will send entire certificate chain - device>intermediate>root. But there is known issue with Apple iOS that even when the signing root is already trusted, it will ALWAYS prompt for certificate to be accepted. When I am using Windows, it works fine that mean ISE is sending entire chain. For Windows, you need to explicitly trust CA under wireless profile properties>Security>Micrsoft PEAP>Settings>Validate server certificate and select your CA server.

I am still finding out why iOS not accepting the chain and there is some related discussion on apple support forum. I will update you on this.

Hope this helps.

jeverard · ‎04-29-2013

Thanks hardiklodhia, your post confirms what we are seeing - the Windows clients have no issue as long as they are set to either NOT validate the EAP server cert or they are set to trust the signing CA cert from the local store by specifically selecting the signing CA (i.e. tick next to "Validate Serverr Certificate" and then another tick next to the signing CA cert in the box below.)

The iOS clients ALWAYS prompt for verification (thanks Apple.)

Note: we are using 1.1.3 and the cert chain import using a concatenated PEM file with ALL of the certs in the chain works fine. We are seeing the whole chain on the clients and the ISE extracts each PEM file into its local store.

The PEM file format is not adequately described in the user guides rather a vague description of cert order is provided.

The file should look like this:

-------------------------Top of page-----------------------------

Root CA PEM FILE

Intermediate CA 1 PEM FILE

Intermediate CA 2 PEM FILE

ETC

ISE CERT PEM FILE

------------------------Bottom of page-------------------------

By "PEM FILE" I mean the actual base64 encoded PEM output from openssl when you convert a .crt or .der file to PEM, including the words "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for each PEM FILE above,

e.g.

-----BEGIN CERTIFICATE-----

MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC

VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u

ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc

KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u

ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1

MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE

ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j

MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI

hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN

95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd

2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIEnzCCBAigAwIBAgIERp6RGjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC

VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u

ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc

VeSB0RGAvtiJuQijMfmhJAkWuXAwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX

8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQAD

gYEAj2WiMI4mq4rsNRaY6QPwjRdfvExsAvZ0UuDCxh/O8qYRDKixDk2Ei3E277M1

RfPB+JbFi1WkzGuDFiAy2r77r5u3n+F+hJ+ePFCnP1zCvouGuAiS7vhCKw0T43aF

SApKv9ClOwqwVLht4wj5NI0LjosSzBcaM4eVyJ4K3FBTF3s=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML

RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp

bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5

IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp

EN551lZqpHgUSdl87TBeaeptJEZaiDQ9JifPaUGEHATaGTgu24lBOX5lH51aOszh

DEw3oc5gk6i1jMo/uitdTBuBiXrKNjCc/4Tj/jrx93lxybXTMwPKd86wuinSNF1z

/6T98iW4NUV5eh+Xrsm+CmiEmXQ5qE56JvXN3iXiN4VlB6fKxQW3EzgNLfBtGc7e

mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq

wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIFKjCCBBKgAwIBAgIETB9GEzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC

VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0

Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW

KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp

yhHR/hYfdVM88hBXXypACgrxBv/JFlKzSEDwKydJeT1tcP//nG4jv1WWgLk6O2Mi

0oE0fnGmuf9fTX4+CdapG2gTDFJ29Chv3kavJDNtB85A7CK8oWI8Qav78Rvaz7nA

LiRMLBQ1RkqUrQFL2WHx4mJkCddPXzOeOVJlUTGJ

-----END CERTIFICATE-----

The last PEM output (the one directly above) is the ISE cert in PEM format. The first PEM output (the one at the top) is the Root CA cert in PEM format. The ones in the middle are intermediate signing CAs in order (from root to leaf).

ericbourgault · ‎06-28-2013

Hi,

I am running ISE 1.1.1.268. I am also using entrust l1c chaining. Blackberry and Android devices are not able to validate server certificate when using 802.1x PEAP MSchapV2. Iphone does the job right. The thing is when I export the ISE psn certificate (pem) from PSN, the cert chain look like : Intermediate->Root->ISE_PSN ... I guess it should look like : Root->Intermediate->ISE_PSN. Is it ISE behavior or simply a setting I can change somewhere ? I tried importing the chain the way jeverard suggested with no luck. Any suggestion ? Are you guys seeing the same order in your exported pem ?

Thanks.