Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1527
Views
0
Helpful
6
Replies

ISE Web UI client certificate issue

Cole Courtney
Level 1
Level 1

‎10-23-2013 08:52 AM - edited ‎03-10-2019 09:01 PM

I recently switched the authentication type from password based to client certificate based.  I setup the Certificate Authentication Profile, Identity Source and imported the active directory groups I was attempting to use.  Once I restarted the application I can no longer access the web ui.

When I attempt to access the web ui I'm prompted for my certificate which I supply and then I get an authentication failure message.  I was reading online and someone suggested using the CLI and issuing the following command: application start ise safe

This command restarted the application but when I attempted to login afterwards the page prompted me for certificates again but didn't display anything.

Is there anything I can do to remedy this issue or do I need to start over.

Thanks!

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎10-29-2013 08:29 AM

What is the browser you are using . check

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp351028

0 Helpful

Cole Courtney
Level 1
Level 1
In response to Venkatesh Attuluri

‎10-29-2013 08:39 AM

I'm using IE 10 and Firefox 24.

I ended up just starting from scratch as I was completely unable to access the admin ui after having improperly set the certificate authentication.  Ultimately I'll have to attempt to enable this feature again.

There has to be a way to allow both certificate based authentication and local user admin access.  It would also be surprising if you're unable to reset the admin ui after a misconfiguration.

If anyone has any advice it would be much appreciated.

0 Helpful

aqjaved
Level 3
Level 3

‎10-29-2013 10:01 AM

Please check the below guide for step by step configuration of Certificate:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

0 Helpful

Cole Courtney
Level 1
Level 1

‎04-08-2014 08:49 AM

I've had a couple TAC cases open on this and still haven't figured out the issue.  I'm unable to regain access to the admin gui even though a safe start is supposed to work.  Apparently their is an open bug:

https://tools.cisco.com/bugsearch/bug/CSCun74285/?reffering_site=dumpcr

 

 

0 Helpful

terry.tam
Level 1
Level 1
In response to Cole Courtney

‎04-08-2014 10:17 AM

Hi Cole,

Same here...  mine is 1.2.0.899 with Patch 7...  The command is simple but I cannot believe there is a bug on it...  hopeless

Anyway, thanks for your update.

0 Helpful

Cole Courtney
Level 1
Level 1

‎04-14-2014 12:50 PM

I think we've finally discovered all the issues

 

Problem #1:  CAC enabled Admin Access fails

Solutions:  In our deployment we have domain controllers that are internal to our network and then we have DC's that reside outside of the firewall.  I incorrectly assumed that ISE would work in conjunction with sites and services.  ISE instead chooses which DC it's going to authenticate off by doing a simple DNS lookup, in our case ISE would attempt to communicate to DC's that were external which would then be filtered by the firewall.  I'm still working with TAC to solve this issue which may include modifying the hosts file.

 

Problem #2: Unable to recover from failed CAC enable

Solution:  You're supposed to be able to access the CLI and issue a safe start to recover from this issue.  It currently doesn't work and is a known bug:

https://tools.cisco.com/bugsearch/bug/CSCun74285/?reffering_site=dumpcr

 

I hope others benefit from these struggles....it was very painful.

 

 

0 Helpful
Customers Also Viewed These Support Documents