Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
5
Replies

Renewal Certificate ISE

dungtran.90
Level 1
Level 1

‎08-22-2019 09:39 PM - edited ‎07-05-2021 10:53 AM

Dear All

 

I have a case below:

 

I have an ISE node. EAP certificate is expired so I renewal it and received the certificate from Zone which is using normal for other sites ( Europe, India, America..) But in Vietnam, we met the issue as the picture below. We change the EAP certificate from Comodo to Sectigo. Import successfully to ISE, a client can connect now, but it does not automatically connect anymore, every time we move to another AP we need to click connect twice.

 

One.JPG

 

Could you please help or support?

Thanks

DungTran

Labels:
0 Helpful
5 Replies 5

patoberli
VIP Alumni
VIP Alumni

‎08-23-2019 05:54 AM

Do you have more than one Radius server configured? If yes, do both use the same root certificate / issuer of the certificate?
If not, then this is the normal behavior.
Make sure that the certificate shown to the client is actually the correct one and not a Man in the Middle attack with a rogue access point.
0 Helpful

pieterh
VIP
VIP
In response to patoberli

‎08-23-2019 07:13 AM

"show certificate details" may guide you to the root cause

possibilities:

- the host-name does not match the name in the certificate

  this would be immediately shown 

- when using multiple ISE servers , you may need to configure SAN names in the certificate
  certificate details -> alternate names

- you may have imported a certificate with incorrect certification-chaining

   certificate details -> certification path

0 Helpful

ammahend
VIP
VIP

‎08-24-2019 03:46 PM

Some additional basic checks ... 

verify Sectigo root cert chain in present on client.

On ISE end I am sure you check Sectigo root cert to be used for client authentication.

-hope this helps-
0 Helpful

dungtran.90
Level 1
Level 1
In response to ammahend

‎08-25-2019 09:36 PM

Dear Ammahend
Root cert already verified by Zone.
So in the ISE end, i need to enable: Trust for client authentication and Syslog ?
Thanks
DungTran
0 Helpful

ammahend
VIP
VIP
In response to dungtran.90

‎08-25-2019 10:37 PM

yes If you are using this certificate for client EAP auth. 

-hope this helps-
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card