03-22-2013 07:26 PM - edited 03-10-2019 08:13 PM
Hi guys,
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:,
Setup:
- Single standalone ISE 3355 appliance
- Two tier MS enterprise PKI (outside of my direct control)
- WLC 5508
- Windows 7 laptop\
- The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
- The test laptop has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
Now, I'm pretty new to certs so I'm sure I'm missing something simple here. One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that. Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
This is what TAC came back with, but none of the workarounds helped
Symptom:
========
EAP-TLS auth handshake failing with X509 decrypt error. The error presented to the ISE administrator is "12508: EAP-TLS handshake failed"
Conditions:
=========
EAP-TLS certificate based authentications ISE 1.1.2.145
Workaround:
===========
1) Reboot or restart ISE application service 2) Recreate CAP (Certificate Authentication Profile) 3) Toggle between ID sequence and single ID source
03-22-2013 10:54 PM
Owen:
ISE is not my game. However, I am trying to help on this.
You need to use SHA256. Even if it found to be not the root cause, SHA256 is much more secure than SHA1.
Also, why don't you use chained certificate? I doubt if using both the root and intermediate certificates individually will work.
one more concern: have you used OpenSSL to convert the cert format? If yes, what version of OpenSSL have you used?
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"
03-22-2013 11:36 PM
Hi Amjad,
Thanks for the response. I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year). On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
The certificate format has not been modified in any way. The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
Cheers,
Owen
03-23-2013 12:10 AM
Hi Owen,
Thank you for the clarification. As I said I am not an ISE guy but I am trying to help so sorry if I missed anything.
Is there any detailed log in ISE for the authentication process?
In ACS 5.x there is such detailed step-by-step auth process. Is there something similar in ISE? That could direct us to where the problem could be. (so far I believe it is something with the cert).
Regards,
Rating useful replies is more useful than saying "Thank you"
03-23-2013 12:30 AM
I definitely agree that it is a certificate error, given the X509 decrypt error message.
There is a detailed log for the auth process, but unfortunately I don't have access to it right now. However, the log entry that I originally posted is what links to the failure point in the authentication sequence, which is after the ACCESS-CHALLENGE
As an aside, disabling 'validate server certificates' on the client side doesn't have any effect
Sent from Cisco Technical Support iPhone App
04-05-2013 09:27 PM
Hello Owen,
As per my knowlwege you need to go for SHA256 an you need to import the CA server certificates into the ISE individually On the client side
Then server and identity certs needs pushed out to the client ,after that root and intermediate certs needs to be exported in DER format directly from each the respective CAs and then imported directly into the ISE
You also need to check the certificates as if their internal information matches at both the ends as in CN, OU and other required details along with the encryption algorithms.
I hope this may solve your query.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide