cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1785
Views
0
Helpful
5
Replies

ISE-Peap

edondurguti
Level 4
Level 4

Hi

I'm rolling out!

I have seen couple of people with win7 cannot authenticate to ISE:

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.

I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?

OR:

If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.

I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.

Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?


Thanks.

1 Accepted Solution

Accepted Solutions

Leap will not support machine authentication if you decide to go that route. It would be best to use a 3rd party cert, if you plan on using BYOD then use the IOS release notes from apple to see which root CA comes pre installed:

http://support.apple.com/kb/HT5012

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

If the clients are your domain users, i would suggest using autoenrollment or a GPO to push out your internal root CA if you have a PKI environment.

If you dont have one it is pretty simple and forward to setup. There are plenty of technet documentation that will walk you through it.

thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti
Level 4
Level 4

I dont have one and the situation is where i cant get one. Would Leap be a problem. Would 3rd party certs solve the problem. Cuz my company doesnt want a ca server and i will not try to convince them lol

Sent from Cisco Technical Support iPhone App

Leap will not support machine authentication if you decide to go that route. It would be best to use a 3rd party cert, if you plan on using BYOD then use the IOS release notes from apple to see which root CA comes pre installed:

http://support.apple.com/kb/HT5012

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks,

I will most likey go with 3rd party cert, go daddy is supported by IOS (given the link you provided).

I will only need one cert for the primary fqdn node right?

There is a bug in ISE that doesnt allow you to use the same certificate for the eap interface (since you can designate which cert you want for either https or eap). You should be able to present the same cert for eap purposes across your radius servers. In the end you will need a cert for each of your policy service nodes.

Tried to find the bug (but the toolkit isnt working for me).

Thanks,

Tarik Admani
*Please rate helpful posts*