Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1305
Views
5
Helpful
3
Replies

ISE - PEAP Failed SSL/TLS handshake - Iphones to corp Network

Go to solution
tom.miller1
Level 1
Level 1

‎05-09-2019 02:53 AM

Hi all

 

We have work mobiles (Iphones) that are to connect to the Business Wireless, I have setup auth rules for the phones where devices have to authenticate with AD creds on a device to access the network (A bit BYOB i guess).

 

But I am getting

 

PEAP failed SSL/TLS handshake after a client alertCheck whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

 

These devices have not got a cert pushed on them and have no way of doing it (Other than maybe the ISE ?)

 

Is there a way to allow these devices to connect without checking Validating the Cert and just having them auth with their AD creds?

 

Long term will be putting certificates on the end points and doing it this way, but until then need a interim solution.

 

Running ISE Version 2.2

 

Cheers

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
RaffyLindogan
Spotlight
Spotlight

‎05-09-2019 06:25 PM

Hi mate,

 

I would suggest for interim solution is to do MAB for authentication and do a redirect portal for users during authorization.

Redirect portal will be using authentication flow as internal and AD.
There are lots of other possible options but this is what I would personally go to.

That would be faster until you can deploy certificates on the mobile.

 

Cheers,

 

Raffy

View solution in original post

3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-09-2019 12:47 PM

That message is basically saying ISE is not trusted by the endpoint. Most, if not all, EAP types supported between iOS device and ISE requires verification of RADIUS server before iOS device sends its credential. Aside from pre-provisioning iOS WiFi settings via profiles crafted with IPCU, macOS server, MDM/EMM, or ISE no easy way for end user to validate the RADIUS cert. If you are not concerned about users trusting RADIUS server, you can simply instruct the user to trust the ISE RADIUS certificate as the endpoint is associated to the network.

 

0 Helpful

Go to solution
RaffyLindogan
Spotlight
Spotlight

‎05-09-2019 06:25 PM

Hi mate,

 

I would suggest for interim solution is to do MAB for authentication and do a redirect portal for users during authorization.

Redirect portal will be using authentication flow as internal and AD.
There are lots of other possible options but this is what I would personally go to.

That would be faster until you can deploy certificates on the mobile.

 

Cheers,

 

Raffy

Go to solution
tom.miller1
Level 1
Level 1
In response to RaffyLindogan

‎05-15-2019 02:50 AM

Thanks for that, never thought of trying it that way.

shall give it a go
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents