03-06-2017 01:27 AM
Hi guys,
I had a Cisco ISE 2.0.0.306,
I config authentication on wired and wireless, wired authentication works exactly, however wireless authentication gave following problem:
Failure Reason: 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
Resolution: Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
Root cause: PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
I have been attached screen shot of error, please attention to it.
note: I have run a new version of Cisco ISE(2.2.0.470) and works exactly.
both of ISE have same configuration.
I have changed the certificates of ISE but it doesn't work still.
Can you tel me, whether this is a bug in this version?
please help me,
Thanks a lot
03-06-2017 09:51 AM
99% of the time this is because the endpoint does not trust the certificate provided by ISE. This is because you are
1) using a self-signed certificate or
2) the endpoint does not trust one of the signers in the certificate chain
Either you are not using a public CA to sign the ISE certificate or the wireless endpoint does not have your enterprise CA certificate installed in its trust store.
I recommend asking questions about ISE in the Identity Services Engine (ISE) group unless you are asking about APIs which is more appropriate for DevNet.
03-06-2017 09:40 PM
Hi dear Thomas
I've checked certificate, Certificate of ISE signed by my domain.
I've imported root CA of domain on the client as trusted certificate.
note: I have another ISE(2.2) with same config, it works fine without any problem, but I have issue in this version.
I asked this question on Identity services engine (ISE) now. https://communities.cisco.com/message/248335#248335
thanks a lot for your answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide