Solved: ISE - enabling CRL breaks all our certificate authentication

Erik Molnar · ‎07-18-2014

Dear All,

we have a strange issue with ISE 1.2(899).

Some of our clients ( PC's, printers, IP phones ) are using certificates to authenticate on the network.

The printers and the IP phones use the same CA produced certificates ( for the record we call it CA Alpha ) but the PC's are using certificates provided by another CA ( called CA Beta ).

The issue that if we configure CRl for CA Alpha ( CRL download is OK, verified with tcpdump ) we saw that all the clients ( clients using CA Alpha or Beta ) cannot authenticate and they are displaying error messages,

12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally"

47726909679936:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720:

However if we configure CRL for CA Beta there is no such issue.

Anybody else experienced the same issue?

Or is there some ideas how can we debug this issue further?

Thank you in advance.

Best Regards,

Erik Molnar

mohanak · ‎07-25-2014

ISE Cert Trusted List is not fully read when a corrupted cert is present

CSCun41732

Description

Symptom:
ISE cannot load the complete Trusted certificate list when a corrupted certificate is present in the list. The certificates present below the corrupted certificate are not fully read on ISE.

Clients fail certificate authentication if their root cert is present below the corrupted certificate on the ISE Trusted store. ISE live logs indicate the below error:

"12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"

Conditions:
Client performing TLS authentication and a corrupted certificate is present above the client root certificate on ISE Trusted Certificate Store

Workaround:
None

Known Affected Releases:

(1)

1.2(0.899)

Known Fixed Releases:

(1)

1.2(0.909)

View solution in original post

mohanak · ‎07-25-2014

ISE Cert Trusted List is not fully read when a corrupted cert is present

CSCun41732

Description

Symptom:
ISE cannot load the complete Trusted certificate list when a corrupted certificate is present in the list. The certificates present below the corrupted certificate are not fully read on ISE.

Clients fail certificate authentication if their root cert is present below the corrupted certificate on the ISE Trusted store. ISE live logs indicate the below error:

"12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"

Conditions:
Client performing TLS authentication and a corrupted certificate is present above the client root certificate on ISE Trusted Certificate Store

Workaround:
None

Known Affected Releases:

(1)

1.2(0.899)

Known Fixed Releases:

(1)

1.2(0.909)

Erik Molnar · ‎07-26-2014

Dear Mohanak!

Thank you for the reply.

We are in the middle of a deployment so we would like to be careful in upgrading the system right now. :)

Can you describe me what have been corrected in hotfix?

Also if we find the cert that is the corrupt, how can we make sure it is corrupted one and why it is the corrupted one?

Thank you in advance.

Saurav Lodh · ‎07-25-2014

Check if root cert is present on ISE instead of Intermediate cert installed!