You can look for user

Sudhir Yadav · ‎01-05-2017

Hi,

I have deployed ISE version 2.0.0.306 nodelist.version.label.patch in which we are receiving one error related to one node as :

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

So please suggest what is the way out for it.

Sudhir

Rahul Govindan · ‎01-06-2017

What supplicant are you using for your PEAP session? Windows Native or Anyconnect? You would have ti uncheck validate server certificate option on both if the ISE is presenting a self-signed cert or a certificate not trusted by the client. If only one client is receiving this message and everyone else works ok, I would check the client certificate store to see if the CA cert of CA issuing the ISE cert is present in the "Trusted Root Certificate Authority" Store.

Sudhir Yadav · ‎01-09-2017

Rahul first of all Thanks for your comments..

we are using windows native as we have around 350 windows machines but 3-4 machines are giving this kind of error so let me check the certificates of those nodes.

But one confusion how will i come to know that ISE cert is present or not.

Ravi Singh · ‎01-10-2017

Sudhir If you are using IE then go to Internet Option->Content->Certificates->Trusted Root Certificate Authority and look for Certificate issued by ISE.

Rahul Govindan · ‎01-10-2017

You can look for user certificates as Ravi mentioned above. I would also look at the following for local machine certificate store:

1) Open Run and type "mmc". This will open Microsoft Management Console.

2) File > Add remove Snap-in.

3) Choose certificates > Choose local computer account.

4) Check for ISE EAP cert under trusted root Authorities of computer account.