05-09-2019 02:53 AM
Hi all
We have work mobiles (Iphones) that are to connect to the Business Wireless, I have setup auth rules for the phones where devices have to authenticate with AD creds on a device to access the network (A bit BYOB i guess).
But I am getting
PEAP failed SSL/TLS handshake after a client alertCheck whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is properly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
These devices have not got a cert pushed on them and have no way of doing it (Other than maybe the ISE ?)
Is there a way to allow these devices to connect without checking Validating the Cert and just having them auth with their AD creds?
Long term will be putting certificates on the end points and doing it this way, but until then need a interim solution.
Running ISE Version 2.2
Cheers
Solved! Go to Solution.
05-09-2019 06:25 PM
Hi mate,
I would suggest for interim solution is to do MAB for authentication and do a redirect portal for users during authorization.
Redirect portal will be using authentication flow as internal and AD.
There are lots of other possible options but this is what I would personally go to.
That would be faster until you can deploy certificates on the mobile.
Cheers,
Raffy
05-09-2019 12:47 PM
That message is basically saying ISE is not trusted by the endpoint. Most, if not all, EAP types supported between iOS device and ISE requires verification of RADIUS server before iOS device sends its credential. Aside from pre-provisioning iOS WiFi settings via profiles crafted with IPCU, macOS server, MDM/EMM, or ISE no easy way for end user to validate the RADIUS cert. If you are not concerned about users trusting RADIUS server, you can simply instruct the user to trust the ISE RADIUS certificate as the endpoint is associated to the network.
05-09-2019 06:25 PM
Hi mate,
I would suggest for interim solution is to do MAB for authentication and do a redirect portal for users during authorization.
Redirect portal will be using authentication flow as internal and AD.
There are lots of other possible options but this is what I would personally go to.
That would be faster until you can deploy certificates on the mobile.
Cheers,
Raffy
05-15-2019 02:50 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: