9120 AP connecting to Dot1X switch

Genesis IT · ‎11-09-2020

Hi all, I've got a new greenfield site that I'm building up and it's one of the first site that we're using 9120 APs. Our WLC is running version 8.10.130.0 and the APs connect fine, but they're not connecting to the switch with the Dot1X credentials I have configured on the controller. What's odd is on ISE, I get the error "12851 Received unexpected EAP NAK message. Client rejected the conversation". We're using PEAP/MSCHAPv2 for our EAP, but from what I can see it's almost like the AP is rejecting the EAP certificate being sent from ISE (which is a DigiCert signed certificate). Do I need to import the DigiCert root CA to the controller so these APs trust that cert? If so, which upload option do I use?

Sorry, this is the first time seeing this issue with APs running dot1x, usually I don't have any issues (with my WLCs running 8.5.151.0 code (due to running 3602s)).

Thanks in advance!

marce1000 · ‎11-10-2020

>Do I need to import the DigiCert root CA to the controller so these APs trust that cert

From the below thread that seems affirmative.

https://community.cisco.com/t5/network-access-control/12851-received-unexptected-eap-nak-hp-laserjet/m-p/3334194/highlight/true

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Genesis IT · ‎11-10-2020

Thanks for the reply M - I saw that post as well but am still a bit confused as to how to get it to work. I installed my root CA as a IPSEC CA, but it uses an intermediate cert as well so I'm confused on how I need to get that uploaded.