This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi, anyone knows about the procedure to make when a new ISE certificate is generated (used for Admin, Portal, EAP Authentication, RADIUS DTLS) and the BYOD devices in the network is trusting on the old certificate?
I am activating the new certificate but the BYOD devices can not complete the coneccition.
Authentication Details:
Failure Reason: 12521 EAP-TLS failed SSL/TLS handshake after a client alert
Resolution: Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause: EAP-TLS failed SSL/TLS handshake after a client alert
Thanks,
Did you also changed any of the certificates in your trusted store? For ISE to auth a client certificate, the root CA certificate of the client certificate chain needs imported into the ISE trusted store and marked trusted for client authentication. And, if the client not sending the full chain, then any intermediate CA certificates also need imported to the trusted store.
If ISE 2.1 or prior, please note CSCve39546 -- a known issue with RSASSA-PSS.
Today I ran into this error in our alpha deployment. In my case, the PSN system certificate used to sign the configuration profile on my Apple iDevice expired. I removed the profile and re-did the BYOD to get my device back online.