Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3017
Views
0
Helpful
4
Replies

Guest user failing because using EAP instead PAP_ASCII

ittechk4u1
Level 4
Level 4

‎02-20-2018 01:00 AM - edited ‎07-05-2021 08:16 AM

Hello experts,

I configured my guest access to use  PAP_ASCII authentication protocol (webauth) but still client failed with this error: 

12703 Failed to negotiate EAP because LEAP not allowed in the Allowed Protocols

or

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

 

What could be the issue. why client tryi ng to use iSE cert......or diff protocol

 

Here are my policies on ISE:

 

Authentication:

Authentication.png

Authorization:Authorization.png

 

 

 

Thanks in advance

 

Update: its working on mobile devices but failing on external company notebooks!!!!

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎02-20-2018 01:50 AM

Hi 

The ISE config is missing on your response.

 However, as per the description you might be using certificate on the guest portal to validate clients?

 The problem with certificate is that you need to install it somehow on the endpoint. Otherwise clients won't be able to join your network. Do this on external endpoints is complicated.

 Usually people use some sort of enrollment on the portal guest to make it easier.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

ittechk4u1
Level 4
Level 4
In response to Flavio Miranda

‎02-20-2018 01:55 AM

certificate on guest portal to validate clients!!!!! I dont undersatnd correctly. why we need it ?

 

I know that only SSL cert required else it will the give the security warning!!!!!

 

I am using Local Webauth(username/password) on cisoc WLC with the help of ISE sponsorportal.

 

What you need from mys side from ISE.... i can give more info...

 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to ittechk4u1

‎02-20-2018 02:23 AM

I am not ISE expert although I'd like to be.

 But the bottom line is not difficult. You probably already have the basic which is an SSID with web auth as layer 3 security redirecting to the ISE.

 On the ISE side you need to create an authorization policy to handle guest auth request and apply ACL accordingly.

 Bellow a detailed guide on how to do this. I recommend you to go through each step while comparing with your configuration and see where your config is wrong.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

ittechk4u1
Level 4
Level 4
In response to Flavio Miranda

‎02-20-2018 02:53 AM

Info: I am using web portal locally from WLC.

Yes WLAN is configured with layer 3 web security redirecting to Custom webauth portal (on WLC).

For authentication and Authorization I am using ISE.

 

Its interesting for me is: All mobile devices(Private and others) are working without any issue but the external company laptop is having the issue.

 

As my policy is crystal clear that only guest user should authenticate and all authenticated clinet which are connecting to Guest WLAN must  be given permit access.

 

Thanks

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card