02-20-2018 01:00 AM - edited 07-05-2021 08:16 AM
Hello experts,
I configured my guest access to use PAP_ASCII authentication protocol (webauth) but still client failed with this error:
12703 Failed to negotiate EAP because LEAP not allowed in the Allowed Protocols
or
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
What could be the issue. why client tryi ng to use iSE cert......or diff protocol
Here are my policies on ISE:
Authentication:
Authorization:
Thanks in advance
Update: its working on mobile devices but failing on external company notebooks!!!!
02-20-2018 01:50 AM
Hi
The ISE config is missing on your response.
However, as per the description you might be using certificate on the guest portal to validate clients?
The problem with certificate is that you need to install it somehow on the endpoint. Otherwise clients won't be able to join your network. Do this on external endpoints is complicated.
Usually people use some sort of enrollment on the portal guest to make it easier.
-If I helped you somehow, please, rate it as useful.-
02-20-2018 01:55 AM
certificate on guest portal to validate clients!!!!! I dont undersatnd correctly. why we need it ?
I know that only SSL cert required else it will the give the security warning!!!!!
I am using Local Webauth(username/password) on cisoc WLC with the help of ISE sponsorportal.
What you need from mys side from ISE.... i can give more info...
02-20-2018 02:23 AM
I am not ISE expert although I'd like to be.
But the bottom line is not difficult. You probably already have the basic which is an SSID with web auth as layer 3 security redirecting to the ISE.
On the ISE side you need to create an authorization policy to handle guest auth request and apply ACL accordingly.
Bellow a detailed guide on how to do this. I recommend you to go through each step while comparing with your configuration and see where your config is wrong.
-If I helped you somehow, please, rate it as useful.-
02-20-2018 02:53 AM
Info: I am using web portal locally from WLC.
Yes WLAN is configured with layer 3 web security redirecting to Custom webauth portal (on WLC).
For authentication and Authorization I am using ISE.
Its interesting for me is: All mobile devices(Private and others) are working without any issue but the external company laptop is having the issue.
As my policy is crystal clear that only guest user should authenticate and all authenticated clinet which are connecting to Guest WLAN must be given permit access.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide