cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

9331
Views
0
Helpful
4
Replies
Beginner

ACS 5.2 - EAP-TLS fail with 'unknown CA in chain' after cert update post cert expirey

Appologies for long post

We had a working ACS 5.2 EAP-TLS set up, with installed ACS server cert and CA chain - this worked ok for over a year no problem, auth'ing network access for WiFi clients

Then: -

  • The 'server' cert on ACS (signed by intermediate CA) expired
  • Intermediate CA cert expired

To remedy we: -

  • On ACS deleted both the local 'server' cert and the intermediate CA cert (under ACS cert authorities)

  • On the (MS) Intermediate CA, a new valid cert was installed from the Root CA

  • Exported new valid Intermediate CA cert which was then loaded on ACS under ACS cert authorities - ACS displayed details for cert and looks correct (i.e. reflects chain, the new expiry date and "Trust for client with EAP-TLS" is checked)

  • Used ACS CSR to generate a signing request, then used CSR on Intermediate CA - resulting signed DER server cert obtained ok

  • Used ACS bind (to the outstanding ACS CSR) for the new DER server cert - selected managment and EAP functions for this cert. ACS restarted.

  • Looking at the ACS https managment cert details from browser, all looks normal now and chain dispalyed as expected

  • The WiFi clients using EAP-TLS have had new machine certs issued and installed from the Intermediate CA (post its cert being updated)

Problem: -

Since the above the WiFi clients have not been able to get network access using EAP-TLS

The ACS failure is

Failure Reason :

12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

and debug shows

OpenSSLErrorMessage=SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally"

OpenSSLErrorStack=  3059174304:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2664:

Have double checked the certs on the ACS and all looks ok - as before but with date valid certs

Have double checked the cert chain on the ACS (under ACS cert authorities) and looks ok, it shows the two cert step to the root CA all with valid dates, which has following structure

     CA

      ----- Intermediate CA

               ----- ACS local 'server' cert

               ----- WiFi client certs

Questions: -

Is there an ACS debug that will actually show me the CA that is assocaited with the cert recieved from the EAP--TLS client ?

i.e. I want to see what CA the ACS is trying to locate and having issues with, to see if problem is client side or ACS side

Failing that any debug which can give me something more to go on ?

- debug radius and EAP on the ACS only yields the above failue info

Is there some gotcha with this scenario ?

i.e. replacing expired certs on ACS 5.2

Thanks

Everyone's tags (4)
4 REPLIES 4

ACS 5.2 - EAP-TLS fail with 'unknown CA in chain' after cert upd

Hello,

I suggest you to collect a sniffer trace for the EAP-TLS hanshake in order to see what certificate is sent by client (the best way is to do it on the client machine, then the very first packets sent on the network are EAP-TLS).

Thanks,

Sergey Emantayev

Highlighted
Beginner

ACS 5.2 - EAP-TLS fail with 'unknown CA in chain' after cert upd

How did you get to that debug file, or run that debug program? I was only able to get the debug files from the support bundle page and didn't find where the OpenSSL debugs were in any of the extractions.

ACS 5.2 - EAP-TLS fail with 'unknown CA in chain' after cert upd

You can see the failed authentication details (including SSL alert) in M&R: open 'Monitoring and Reporting', then go to Reports > Catalog > AAA protocol > RADIUS authentication.

Hi sez.sharp!    I want to

Hi sez.sharp!

    I want to know if you had a chance to figure out what was causing the issue, have you fix it? I am currently passing at same issue...

 

Thanks in advance!