Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1784
Views
0
Helpful
1
Comments

7921/7925- EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-cert

kylerossd
Level 4
Level 4

‎03-02-2016 10:55 AM - edited ‎02-21-2020 10:01 PM

Hello,

I had recently come across a scenario where Cisco wireless 7921G and 7925G handsets were rejecting ISE's certificate.  I had setup the phones for EAP-TLS using MIC.  I had uploaded Cisco's Root CA and Manufacturing CA Certificates and enabled "Trust for client authentication".  A Certificate Profile was configured matching Common Name and is added to the Identity Sequence.  The strange part was that Cisco wired handsets (7942,7945 and 7965) were working with identical configuration. 

What I had discovered was that even though the phone is set to not Validate Server Certificate it still was, rejecting the EAP certificate signed by the local root CA.  The issue was remediated by exporting the root CA certificate is DER format, accessing the Web Access webpage (Full Access Mode) and importing the root CA certificate to the handsets.

Hopefully this document saves someone a TAC call and some head scratching.

Kyle

Labels:
0 Helpful
Comments
Per Johansson
Level 1
Level 1
‎06-08-2016 05:28 AM

Hello

I facing the same setup as with 7925G phones.

Have solved the certificate in the 7925 but have i problems with the ise config.

How did you set up the authentication and Authorization Policy in the ise to get it to work?

//Per

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents