Solved: ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unkn

jrodriguez · ‎05-24-2013

Hello, I´m stucked with this problem for 3 weeks now.

I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.

Thank you
Jorge

ajc · ‎08-02-2016

I was doing a few tests today and I got the same error on ISE running 1.4.0.253 patch 6. The workaround suggested on the BUG = CSCtq31131 did not work.

During my tests I basically removed the CA certs from the Trusted Certificates List, and imported them back into ISE and after that, the EAP-TLS AUTHC did not work even though on each certificate I checked the box located at:

Trusted Certificates List --- > CA Certificate --- > USAGE --- > Trusted For: --- > Trust for authentication within ISE

AND save the changes. Once I did this for each Trusted cert (Root & Intermediate), I stopped and restarted the ISE Services with no luck.

Then I decided to start playing with the Certs individually and checked first the box: "TRUST for client authentication and Syslog" (sublevel of the path indicated above) for the Intermediate CA Cert of the chain (ISE Trusted Certificate list). Saved the changes and it did not work (I did not initialize the ISE Services).

Finally I repeated the same steps for the Root CA Cert of the chain, checked the sublevel box as mentioned in the previous paragraph and the EAP-TLS worked fine.

I will ask Cisco TAC and BU what is the difference between the "AUTHENTICATION WITHIN ISE" and the "FOR CLIENT AUTHENTICATION AND SYSLOG" boxes for EAP Authentication.

View solution in original post

o.adames · ‎10-25-2018

I had the same issue and resolved by editing the root certificate of the CA and choosing all options including client and syslog as mentioned by Camacho in the previous post.

Thanks, OA

View solution in original post

Richard Atkin · ‎05-28-2013

What CA are you using and how many intermediate certs are in the chain?

vinupeter_19 · ‎05-28-2013

Hi Rik,

the Below are the certificate details

ISE Certificate Signed by XX-CA-PROC-06

User PKI Signed by XX-CA-OTHER-08

In ISE certificate Store i have the below certificates

XX-CA-OTHER-08 signed by XX-CA-ROOT-04

XX-CA-PROC-06 signed by XX-CA-ROOT-04

XX-CA-ROOT-04 signed by XX-CA-ROOT-04

ISE certificate signed by XX-CA-PROC-06

I have enabled - 'Trust for client authentication' on all three certificates

this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'

when i check the certificates of current user in the Client PC this is how it shows.

XX-CA-ROOT-04 is listed in Trusted root Certification Authority

and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities

Richard Atkin · ‎05-28-2013

I'm not sure about ISE, but other Cisco WLAN products have a limitation whereby they only support one intermediate cert, could be something like that? Do you have access to an alternative PKI that has a shorter chain that you can use for testing?

jrodriguez · ‎05-29-2013

Thank for your answer RikJonAtk,

As you have guessed, my certificate chain has a Root, then a Policy, then a Issuing and at last the certificate. I´ve tested with a 2 level PKI (root and Issuing) and the result was similar.

The same certificate with the same 3 tier structure works in a ACS server for a Laptop but not for an iPad.

------------------------- Edit-----

Ok, no problem with the ipad neither. It needs ro reset the network settings. So there is no problem to authenticate clients with ACS and a 3 tier PKI structure but the same certificates doesn´t works in ISE.

jrodriguez · ‎06-10-2013

Ok, I´ve open a TAC because a possible bug in 1.1.4 version.

One of the symtoms is this: When I try to export a certificate from the "local Certificates" the service application ISE is reloaded (you could see form the console).

This bug should not affect in the primary problem, the EAP-TLS authentication, maybe the 3 tier certificate chain is the problem.

Brian McPhillips · ‎08-21-2013

hi Jorge,

Did you get anything back from Cisco on this? I have ran into a similiar issue. it would be interesting to know if this is a bug or misconifg on my side!

Thanks

Brian

Tarik Admani · ‎08-21-2013

I ran into an issue today where my client machines had multiple certificates with the same CN, even through we lined up the certs that were installed on the client by validate serial numbers. We ran a packet capture for the radius transaction and found that the client was sending a different intermediate and root then what was used in the chain for the client cert.....really strange and odd but this in our case wasnt an ise issue.

Make sure you can go through the certificate settings on the client and validate that there arent any duplicate certs with the same CN that are present in the client's chain.

Sent from Cisco Technical Support iPad App

jrodriguez · ‎10-02-2013

Sorry for the delay in the answer.

It took 2 months to Cisco TAC to solve the problem. At the end there were a bug with the version 1.1.4. When I tried to export the certificate The GUI restarts it self.

But the real problem was the conversion of the certificate form .pfx to .pem . It seems that the version of the OpenSSL wasn´t works properly. The good one (for me) is the version 0.9.8k.

It was a wierd problem because the same certificate that works with an ACS server wasn´t works with the ISE.

Hope this helps.

nspasov · ‎01-27-2016

I know this is an old thread but do you happen to have the BUG ID? I have a client that just contacted me that is running ISE 1.1.4 and is having exactly the same issue.

Jatin Katyal · ‎01-27-2016

Hi Neno,

Are you talking about this defect:

CSCud00831 eap-tls authentications start failing after a while decrypt error

~ Jatin

~Jatin

nspasov · ‎01-27-2016

No, the customer of mine that I was helping is getting the exact same error that is in this thread:

EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

The strange part is that they are only getting this error when trying to authenticate clients with certificates from their new Certificate Authority. Clients that have certificates from the old certificates authority are working fine.

Here are the details:

ISE:

Version - 1.1.3 - Patch 8

EAP Certificate - Issued from the old Certificate Authority (CA-1)

Certificate Store - Has the Root Certificates from both the old certificate authority (CA-1) and from the new one (CA-2). Both of them are set to be trusted for client authentications.

Clients:

Version - Windows 7 - SP1

EAP Certificate - Issued from the new Certificate Authority (CA-2)

Certificate Store - Has both root certificates from the old (CA-1) and new (CA-1) certificate authorities.

The supplicant is set to trust both CAs

While doing a bug scrub I ran across this one that I think my customer might be facing:

https://tools.cisco.com/bugsearch/bug/CSCtq31131

Jatin Katyal · ‎01-31-2016

I'd suggest to test windows client with:

1.] set supplicant to trust new CA only.

2.] Supplicant cert store should have client cert issues by a new CA only.