Solved: Re: the client rejected the ISE local-certificate

dijix1990 · ‎12-27-2023

Some my clients started to get error when they try to connect wifi with 802.1x. On the Ise I can see log with error (on the phone I set CA Certificate as don't validate)

Event	5400 Authentication failed
Failure Reason	12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

we don't use any certificates for our wifi environment.

hslai · ‎01-02-2024

@dijix1990 You should look at the other alternatives provided. Or you may get a well-known CA to sign the EAP server certificate for ISE.

View solution in original post

marce1000 · ‎12-27-2023

- FYI : https://community.cisco.com/t5/network-access-control/12321-peap-failed-ssl-tls-handshake-because-the-client-rejected/m-p/3567819#M497093

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

dijix1990 · ‎12-27-2023

I saw it. It's the note for domain devices. My devices (thousand different phones) aren't part of domain, and if I set on my wlc radius nps instead of ise it start to work

MHM Cisco World · ‎12-27-2023

ISE Cert. is signed by public CA or you use PAN as CA ?
MHM

hslai · ‎12-28-2023

@dijix1990 Adding to what the others said... Since it works OK with NPS, you could try exporting the server certificate and the private key from NPS and importing the key-pair into ISE as the EAP server certificate. Or use the same CA as that for NPS to issue the EAP server certificate for ISE. If you are not sure what it is, take packet captures to check.

dijix1990 · ‎12-28-2023

ISE has this certificates (for EAP)

but I can't upload root certificate to devices which is not in domain

MHM Cisco World · ‎12-28-2023

if the issue to is same as issue by then ISE is CA, and you need to add ISE CA cert to each client
MHM

dijix1990 · ‎12-28-2023

This is not possible, it guests network. Without ISE everything works perfect

MHM Cisco World · ‎12-28-2023

so the issue to is same as issue by ?
MHM

dijix1990 · ‎12-28-2023

I found that the problem only for samsung A51

hslai · ‎01-01-2024

@dijix1990 Recent Android releases usually need the certificate chain already trusted by the client OS before to allow EAP authentications. You may either use ISE dual-SSID BYOD to install the certificate chain or manually import it onto the client devices.

Note that on ISE, we may use a different certificate for EAP and leave what you have for the other usages. This EAP server certificate does not have to match the DNS domain of the ISE node. Alternatively, you may remove one of your ISE PSNs, reassign its DNS domain, import the certificate pair, and then retest. If that tested fine, then you may re-register it back to your ISE deployment.

dijix1990 · ‎01-02-2024

We configured radius nps directly on the wlc, without ise and it works better. It guests phones I can't install cert chain

hslai · ‎01-02-2024

@dijix1990 You should look at the other alternatives provided. Or you may get a well-known CA to sign the EAP server certificate for ISE.

dijix1990 · ‎01-02-2024

Yes, I know it, but we decided use ise only for domain devices