Re: ISE error in dot1x endpoint OpenSSLErrorMessage message="unknown CA"

getaway51 · ‎05-30-2020

Hi,

I have encountered error for all dot1x devices like laptop where DenyAccess. other non devices seems working fine.

ISE error below seen. Previously all was working fine till recently.

Any idea guys? Thanks!

OpenSSLErrorMessage	SSL alert: code=0x230=560 \; source=remote \; type=fatal \; message="unknown CA"
OpenSSLErrorStack	14384:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1494:SSL alert number 48

balaji.bandi · ‎05-31-2020

Is any certification renwed recently ?

i see bug here similar kind : (since we do not know what version of ISE you running) worth looking is this effects your environment :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf41214/?rfs=iqvred

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

getaway51 · ‎05-31-2020

Hi,

Some locations are working fine though. But the cert did not expired. Previously they were working fine and then suddenly all wasn't working. Could this be laptop's certificate issues? How can I compare the certs in ISE with the certs in laptop?

What attributes needs to match the which certs in ISE for wired-dot1x devices to authenticated successfully?

getaway51 · ‎05-31-2020

Hi,

I am running ISE 2.4

getaway51 · ‎05-31-2020

Yes the certs was renew in April. During tht time, most laptop not in
office due to office lockdown. Now some people came back to office and
their laptop cant get connected via wired port but wifi is working fine.

hslai · ‎06-01-2020

Start with CiscoLive BRKSEC-3229 if you want to debug it yourself. Otherwise, please open a case with Cisco TAC.