Validating Server Certificate with PEAP and Cisco Wireless Phone

Nicholas Copeland · ‎08-30-2013

So hopefully someone can help me out here. I am trying to migrate wireless phones from ACS to ISE. Currently they are connecting using PEAP and validating the server certificate through ACS. Both ACS and ISE have certificates assigned from the same CA server and the phone has the root cert installed of the CA. When I change the radius server to ISE instead of ACS the phone fails to validate the server certificate. If I use PEAP and don't validate the server certificate it works fine. It also works if I use EAP-FAST instea of PEAP.

A side note is if I validate the server certificate using PEAP on a workstation with the same root cert installed it will connect through ISE. Just not the wireless phone. The phone models I am testing with are the 7925's and the 7921's. The time is the same on both the phones and the server.

Anyone else run into this or have any thoughts?

Muhammad Munir · ‎09-02-2013

Hi

Please go the following link this will help you definitely.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_ug.pdf

at page no.429-440.

Nicholas Copeland · ‎09-03-2013

Muhammed,

Thanks for the link. Unfortunately it doesn't pertain to the issue I am having and is more with the layout and simple authentication pieces. I am not sure my issue is actually with the ISE appliance and not more of an issue with the phone not accepting the certificate chain of the ISE server. Authentication works just fine if I don't validate the server certificate. If I try to validate the server certificate the phone rejects the ISE cert even though the root CA is loaded on the phone. But it appears the phone isn't taking the entire certificate chain as I am unable to load one of the intermediate CA's certificate into the phone. Opening a TAC case to see if they can assist or explain why the phone won't take the entire certificate chain.