cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
5
Helpful
3
Replies

ISE - PEAP Failed SSL/TLS handshake - Iphones to corp Network

tom.miller1
Beginner
Beginner

Hi all

 

We have work mobiles (Iphones) that are to connect to the Business Wireless, I have setup auth rules for the phones where devices have to authenticate with AD creds on a device to access the network (A bit BYOB i guess).

 

But I am getting

 

PEAP failed SSL/TLS handshake after a client alertCheck whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

 

These devices have not got a cert pushed on them and have no way of doing it (Other than maybe the ISE ?)

 

Is there a way to allow these devices to connect without checking Validating the Cert and just having them auth with their AD creds?

 

Long term will be putting certificates on the end points and doing it this way, but until then need a interim solution.

 

Running ISE Version 2.2

 

Cheers

1 Accepted Solution

Accepted Solutions

RaffyLindogan
Beginner
Beginner

Hi mate,

 

I would suggest for interim solution is to do MAB for authentication and do a redirect portal for users during authorization.

Redirect portal will be using authentication flow as internal and AD.
There are lots of other possible options but this is what I would personally go to.

That would be faster until you can deploy certificates on the mobile.

 

Cheers,

 

Raffy

View solution in original post

3 Replies 3

howon
Cisco Employee
Cisco Employee

That message is basically saying ISE is not trusted by the endpoint. Most, if not all, EAP types supported between iOS device and ISE requires verification of RADIUS server before iOS device sends its credential. Aside from pre-provisioning iOS WiFi settings via profiles crafted with IPCU, macOS server, MDM/EMM, or ISE no easy way for end user to validate the RADIUS cert. If you are not concerned about users trusting RADIUS server, you can simply instruct the user to trust the ISE RADIUS certificate as the endpoint is associated to the network.

 

RaffyLindogan
Beginner
Beginner

Hi mate,

 

I would suggest for interim solution is to do MAB for authentication and do a redirect portal for users during authorization.

Redirect portal will be using authentication flow as internal and AD.
There are lots of other possible options but this is what I would personally go to.

That would be faster until you can deploy certificates on the mobile.

 

Cheers,

 

Raffy

Thanks for that, never thought of trying it that way.

shall give it a go
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers