9800 WLC CLI PIV Works but Web GUI Doesn't - Page 2

jawesterholm · ‎01-12-2024

I have successfully enabled PIV authentication for CLI via ISE. However, web does not work, gives me openresty error after entering my PIN. Background - I am with DOI and obtained a certificate for the WLC from the DOI CA. Our PIV cards are provided by ENTRUST. I use the Entrust trust point for CLI.

This allows me to use CLI PIV -

crypto pki trustpoint ENTRUST_MG_SVC_SSP_CA
enrollment terminal
authorization username alt-subjectname userprinciplename
revocation-check none

cyrpto pki authenticate ENTRUST_MG_SVC_SSP_CA

Insert Certificate HERE

ip ssh server certificate profile
user
trustpoint verify ENTRUST_MG_SVC_SSP_CA

Ip http secure-trustpoint (WLC trustpoint)
Ip http secure-client-auth
ip http secure-peer-verify-trustpoint (WLC Trustpoint) - I've tried using ENTRUST_MG_SVC_SSP_CA as well.
ip http secure-piv-based-auth secure-piv-based-author-only

TAC has been working on this for a few months with no resolution yet. Any suggestions? I've tried 17.3, 17.4, 17.12.1, 17.12.2 with no changes.

jawesterholm · ‎04-26-2024

Yeah login isn't making it to ISE for me either. I've debugged ip http, aaa authen, show logging process nginx internal start last 60, etc. It seems to be some kind of ngnix error. I also got DOI to give me a soft token to see if that made a difference vs my PIV card. No change.

jawesterholm · ‎04-26-2024

Currently running 17.12.3

edmonroy · ‎06-12-2024

Try this:

For the trustpoint having the Root CA of the client cert add the following:
crypto pki trustpoint PIV-Root-CA
authorization username subjectname commonname

Then make sure that trustpoint is the one for PIV verification:

ip http secure-peer-verify-trustpoint PIV-Root-CA

jawesterholm · ‎06-12-2024

Sadly same OpenResty error