cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4760
Views
5
Helpful
5
Replies

Wireless ISE - 12508 EAP-TLS handshake failed

owen-parsons
Beginner
Beginner

Hi guys,

I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:

Authentication failed : 12508 EAP-TLS handshake failed

OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,

Setup:

- Single standalone ISE 3355 appliance

- Two tier MS enterprise PKI (outside of my direct control)

- WLC 5508

- Windows 7 laptop\

- The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.

- The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.

Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?

This is what TAC came back with, but none of the workarounds helped

Symptom:

========

EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"

Conditions:

=========

EAP-TLS certificate based authentications ISE 1.1.2.145

Workaround:

===========

1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

5 Replies 5

Amjad Abdullah
Engager
Engager

Owen:

ISE is not my game. However, I am trying to help on this.

You need to use SHA256. Even if it found to be not the root cause, SHA256 is much more secure than SHA1.

Also, why don't you use chained certificate? I doubt if using both the root and intermediate certificates individually will work.

one more concern: have you used OpenSSL to convert the cert format? If yes, what version of OpenSSL have you used?

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

Hi Amjad,

Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.

Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.

The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE

Cheers,

Owen

Hi Owen,

Thank you for the clarification. As I said I am not an ISE guy but I am trying to help so sorry if I missed anything.

Is there any detailed log in ISE for the authentication process?

In ACS 5.x there is such detailed step-by-step auth process. Is there something similar in ISE? That could direct us to where the problem could be. (so far I believe it is something with the cert).

Regards,

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

owen-parsons
Beginner
Beginner

I definitely agree that it is a certificate error, given the X509 decrypt error message.

There is a detailed log for the auth process, but unfortunately I don't have access to it right now. However, the log entry that I originally posted is what links to the failure point in the authentication sequence, which is after the ACCESS-CHALLENGE

As an aside, disabling 'validate server certificates' on the client side doesn't have any effect

Sent from Cisco Technical Support iPhone App

harvisin
Participant
Participant

Hello Owen,

As per my knowlwege you need to go for SHA256 an you need to import the CA server certificates into the ISE individually On the client side

Then server and identity certs needs pushed out to the client ,after that root and intermediate certs needs to be exported in DER format directly from each the respective CAs and then imported directly into the ISE

You also need to check the certificates as  if their internal information matches at both the ends as in CN, OU and other required details along with the encryption algorithms.

I hope this may solve your query.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers