cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

7921/7925- EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-cert

730
Views
0
Helpful
1
Comments

Hello,

I had recently come across a scenario where Cisco wireless 7921G and 7925G handsets were rejecting ISE's certificate.  I had setup the phones for EAP-TLS using MIC.  I had uploaded Cisco's Root CA and Manufacturing CA Certificates and enabled "Trust for client authentication".  A Certificate Profile was configured matching Common Name and is added to the Identity Sequence.  The strange part was that Cisco wired handsets (7942,7945 and 7965) were working with identical configuration. 

What I had discovered was that even though the phone is set to not Validate Server Certificate it still was, rejecting the EAP certificate signed by the local root CA.  The issue was remediated by exporting the root CA certificate is DER format, accessing the Web Access webpage (Full Access Mode) and importing the root CA certificate to the handsets.

Hopefully this document saves someone a TAC call and some head scratching.

Kyle

Comments
Beginner

Hello

I facing the same setup as with 7925G phones.

Have solved the certificate in the 7925 but have i problems with the ise config.

How did you set up the authentication and Authorization Policy in the ise to get it to work?

//Per