ISE trusted certificates - 1.1.1 bug??

Gustavo Novais · ‎08-23-2012

Hello,

I'm authenticating a few Cisco Phones towards ISE via EAP-TLS, and all was working on version version 1.1.

Now that we've upgraded to 1.1.1, I've reimported Cisco's Manufacturing CA and Root CA certificates into ISE, and marked them for trust for EAP-TLS authentications, but when phones authenticate I keep getting the message that they've presented an unknown CA certificate in their certificate request, and obviously we are failing EAP-TLS, but I'm pretty sure the certificates are well imported into ISE, so they should pass the validation.

Is anybody aware of a bug of some sort with this?

I read a post where somebody stated that now ISE would only support one certificate for EAP-TLS auth...

If somebody can provide further details...

Thanks

Gustavo Novais

Naveen Kumar · ‎05-01-2013

Hello,

The bug has been resolved in the new update of ISE 1.1.2 and the higher versions.

Ref. Link: http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html

Jatin Katyal · ‎05-02-2013

The defect that I come across even I had all the certs installed correctly.

CSCud00831 eap-tls authentications start failing after a while x509 decrypt error

Symptom:

EAP-TLS authentications fail with "X509 decrypt error"

Conditions:

Visiting backup/restore page or performing an automatic scheduled backup

without visiting the backup/restore page

Workaround:

Do not visit backup page. Disable scheduled backup. Separate Policy

Services. Node on deployment from Administrative or Monitoring Node.

The fix will be available in ISE 1.1.3

Jatin Katyal

- Do rate helpful posts -

~Jatin