Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
1
Replies

Wireless EAP-TLS authentication with Cisco ISE and WLC

Go to solution
Enkhbayar Bold
Level 1
Level 1

‎04-20-2022 06:38 AM

Hi all

 

We creating Wireless network on Cisco WLC 5520-8.10.162.0 with Enterprise security. Authentication will be processed on Cisco ISE 3.2. Endpoint client is regular windows 10 tablet. 

 

We created SSID and choose all configs done successfully.

We created certificate chain, RootCA, IntermetiadeCA, and Client cert...

RootCA and Intermediate certificates installed on ISE, Root certificate is installed to Trusted certificate, intermediate certificate is installed to system certificates and role is choosen "EAP-TLS".

Our main goal is only provide client certificates to the end users and client certificate installed devices needs to join to wireless network. Once we installed client certificate only in Personal certificate store, it is not working. when we installing RootCA to Trusted Root store and intermediateCA to Intermediate certification authority store, clients starts authenticating.

 

What is certificate requirement of the client in our case?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-23-2022 11:07 PM

Your client has been configured specifically to check the RADIUS EAP certificate. If the client does not have the CA cert chain that signed the ISE EAP Certificate, then the client will abort the TLS communications ( you will see this clearly in the ISE Live Logs).

If you decided to change the client config to not care about this trust (bad idea!!) then you don't need to install the CA cert chain on the client.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎04-23-2022 11:07 PM

Your client has been configured specifically to check the RADIUS EAP certificate. If the client does not have the CA cert chain that signed the ISE EAP Certificate, then the client will abort the TLS communications ( you will see this clearly in the ISE Live Logs).

If you decided to change the client config to not care about this trust (bad idea!!) then you don't need to install the CA cert chain on the client.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents