10-02-2018 01:56 AM
Hello,
In our ISE deployment, we've alcatel-Lucent phones.
For now the phones are authenticated with MAB, but all phone's support Dot1x .
I've checked and downloaded certificates from the website of Alcatel Lucent. but still the phone's said Dot1x auth failed.
Mab worked, but we're recieving errors as we can see in ISE:
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
12508 EAP-TLS handshake failed
Portconfig:
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation replace
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
Could anyone help me further?
Solved! Go to Solution.
10-21-2018 10:41 AM
I would suggest to perform a packet capture and check what is the unknown CA certificate. Once identified, you may import it to ISE Trusted Certificates and enable it for client authentications.
10-21-2018 10:41 AM
I would suggest to perform a packet capture and check what is the unknown CA certificate. Once identified, you may import it to ISE Trusted Certificates and enable it for client authentications.
04-12-2023 02:49 AM
I just found the certificates to add to ISE on Reddit, credits to the original poster.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide