New ISE Certificate and BYOD devices not trusting in ISE

andres.picos · ‎10-02-2017

Hi, anyone knows about the procedure to make when a new ISE certificate is generated (used for Admin, Portal, EAP Authentication, RADIUS DTLS) and the BYOD devices in the network is trusting on the old certificate?

I am activating the new certificate but the BYOD devices can not complete the coneccition.

Authentication Details:

Failure Reason: 12521 EAP-TLS failed SSL/TLS handshake after a client alert

Resolution: Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

Root cause: EAP-TLS failed SSL/TLS handshake after a client alert

Thanks,

hslai · ‎10-03-2017

Did you also changed any of the certificates in your trusted store? For ISE to auth a client certificate, the root CA certificate of the client certificate chain needs imported into the ISE trusted store and marked trusted for client authentication. And, if the client not sending the full chain, then any intermediate CA certificates also need imported to the trusted store.

If ISE 2.1 or prior, please note CSCve39546 -- a known issue with RSASSA-PSS.

hslai · ‎10-04-2017

Today I ran into this error in our alpha deployment. In my case, the PSN system certificate used to sign the configuration profile on my Apple iDevice expired. I removed the profile and re-did the BYOD to get my device back online.