cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1111
Views
1
Helpful
2
Replies
Highlighted
Beginner

New ISE Certificate and BYOD devices not trusting in ISE

Hi, anyone knows about the procedure to make when a new ISE certificate is generated (used for Admin, Portal, EAP Authentication, RADIUS DTLS) and the BYOD devices in the network is trusting on the old certificate?

I am activating the new certificate but the BYOD devices can not complete the coneccition.

Authentication Details:

Failure Reason: 12521 EAP-TLS failed SSL/TLS handshake after a client alert

Resolution: Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

Root cause: EAP-TLS failed SSL/TLS handshake after a client alert

Thanks,

2 REPLIES 2
Highlighted
Cisco Employee

Did you also changed any of the certificates in your trusted store? For ISE to auth a client certificate, the root CA certificate of the client certificate chain needs imported into the ISE trusted store and marked trusted for client authentication. And, if the client not sending the full chain, then any intermediate CA certificates also need imported to the trusted store.

If ISE 2.1 or prior, please note CSCve39546 -- a known issue with RSASSA-PSS.

Highlighted
Cisco Employee

Today I ran into this error in our alpha deployment. In my case, the PSN system certificate used to sign the configuration profile on my Apple iDevice expired. I removed the profile and re-did the BYOD to get my device back online.

Content for Community-Ad