Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
185
Views
1
Helpful
6
Replies

ISE Internal CA issued EAP-TLS auth fails after renewing EAP Auth cert

Go to solution
MMR16
Level 1
Level 1

‎09-24-2024 04:49 PM

Recently we renewed Public CA certificate from Entrust to DigiCert for ISE system EAP Authentication, and since then, devices have been failing to authenticate via EAP-TLS. These devices obtain endpoint certificates through the BYOD portal. This is happening for EAP-TLS auth only for those devices that got Endpoint Cert from ISE internal CA via BYOD onboarding portal, not for PEAP-MSCHAPv2. We use ISE system EAP Authentication certs only for Auth purpose, there is another wildcard Digicert for Admin/portal/Radius DTLS that we renewed last week, Before it was issued from Entrust, this year we changed to Digicert. That is working perfectly. But This week when we changed EAp Auth Cert, problem started at same time after renew to renew CA cert.

I had a look at certs pack issued by ISE, saw it is pushing all ISE internal CA chains plus Entrust Root CA-G2. I think Root CA-G2 is causing issue. As soon as we changed to DigiCert, endpoint started failing as it doesn't have DigiCert chain in its store.

All fails are showing this log,12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate.

Please help to me get rid of this issue. we have hundreds of iPad devices online by this way, it is huge impact on business. We had to roll back to Entrust, it has just below 3 wks to expiry.

 

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎09-25-2024 04:19 AM

Are CA chain is known by user ?

MHM

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎09-25-2024 04:19 AM

Are CA chain is known by user ?

MHM

0 Helpful

Go to solution
MMR16
Level 1
Level 1
In response to MHM Cisco World

‎09-25-2024 04:49 AM

CA Chain must be known by user as it was issued from ISE internal CA, was working as usual. After roll back, again started working. Question is then what causing issue after EAP Auth cert renewal to DigiCert

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-25-2024 06:55 AM

The clients need to trust the certificate issuer of the certificate that ISE presents for EAP authentication. By default the endpoints would trust any of the large certificates providers, however, the issue in your case could be caused by the supplicant profile configuration that was pushed to endpoints. For instance, if the pushed provide via GPO has Entrust certificate selected from the Trusted Root Certification Authorities to be trusted then you would need to adjust that profile by selecting DigiCert certificate.

0 Helpful

Go to solution
MMR16
Level 1
Level 1
In response to Aref Alsouqi

‎09-25-2024 08:45 PM

Hi Aref,

Thanks for replying, we dont manage those device, they are BYOD. onboarding via BYOD portal. Client provisioning policies are pushing native supplicant profile where we push wifi profile and ISE internal Cert template. Not any EAP Auth cert

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MMR16

‎09-26-2024 01:47 AM

What settings do you push in the WiFi profile?

0 Helpful

Go to solution
MMR16
Level 1
Level 1
In response to Aref Alsouqi

‎09-26-2024 04:32 AM

Just SSID Name, WPA2, Allowed Protocol as TLS and ISE Internal CA Cert Template

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card