Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4375
Views
25
Helpful
6
Replies

ise certificate validation failed in log

Go to solution
Abreey
Level 1
Level 1

‎10-14-2020 11:48 PM

hello cisco community,

I have problem in eap tls and I searching the log in every device to solve the problem.

when I look to wlc, wlc generate log like this :

RADIUS server 10.175.4.71:1812 failed to respond to request (ID 79) for client f8:94:c2:1a:22:a5 / user 'bbb@aaa.com'

 

and in ISE generate some log, but there is significant log that I think the problem :

34151 WARN System-Management: Certificate Validation Failed, ConfigVersionId=109, AdminName=Unknown, OperationMessageText=Certificate Validation failed for host:ise.aaa.com, AcsInstance=ise.aaa.com,

 

and my question are :

1. is there any chance the eap-tls not success because certificate in ise (like log said, certificate validation is failed)??

2. I dont see any explanation about that log. would somebody care to explain what I must to do for fixing the log in ISE.

 

Thank you very much.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Abreey

‎10-15-2020 06:14 PM

If the client supplicant is not sending its certificate chain in response to the server (ISE) certificate, it is likely not trusting the ISE EAP cert and terminating the EAP connection.

I would suggest reviewing the following documents and comparing to your environment:

Understand and configure EAP-TLS using WLC and ISE 

Configure EAP-TLS Authentication with ISE - Common Issues and Techniques to Troubleshoot 

There is also a similar Community post here that might provide some guidance. These certificate issues can be tricky to troubleshoot without experience, so you might need to open a TAC case to investigate further.

View solution in original post

6 Replies 6

Go to solution
Andrii Oliinyk
VIP
VIP

‎10-15-2020 04:15 AM

hi

what do u have in authentication details for this endpoint? can u see 12321 "failed SSL/TLS"?

Go to solution
Abreey
Level 1
Level 1
In response to Andrii Oliinyk

‎10-15-2020 04:50 AM

thank you andy for respon,

there is no 12321 "failed SSL/TLS" in ise log.

like picture below, only code 5440 endpoint abandoned EAP session and started new.

eaptls-community cisco.pngeap-tls handshake-community cisco.jpg

I did tcpdump in ISE interface and there is no step 7 to 10 (like picture below) at my pcap file.

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Abreey

‎10-15-2020 06:14 PM

If the client supplicant is not sending its certificate chain in response to the server (ISE) certificate, it is likely not trusting the ISE EAP cert and terminating the EAP connection.

I would suggest reviewing the following documents and comparing to your environment:

Understand and configure EAP-TLS using WLC and ISE 

Configure EAP-TLS Authentication with ISE - Common Issues and Techniques to Troubleshoot 

There is also a similar Community post here that might provide some guidance. These certificate issues can be tricky to troubleshoot without experience, so you might need to open a TAC case to investigate further.

Go to solution
Abreey
Level 1
Level 1
In response to Greg Gibbs

‎10-19-2020 11:53 PM

Thank you Greg for the answer.

I will call TAC soon for investigate the wlc one. because I create lab with same ise and key chain in wired 802.1x environment it works like a charms.

 

Thank you so much!

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-15-2020 08:58 AM

How the endpoint's NIC is configured for dot1x?

0 Helpful

Go to solution
Abreey
Level 1
Level 1
In response to Aref Alsouqi

‎10-15-2020 06:04 PM

Hi Aref, thank you for reply,

 

like picture below, I configured endpoint nic using certificate's user. certificate's user deploy using GPO auto enroll and signed using ENT-CA. ENT-CA and ROOT-CA already in trusted certificates at ISE and endpoint.

certificated-cisco community.PNG

wifi_801x-user authentication.PNG

wifi_configuration-cisco community.PNG

 

 

Customers Also Viewed These Support Documents