Hi, recently I bumped into problem, laptops with windows 10 and 11 that cancelled to connect WiFi.
I have ISE 3.1 with connection to Windows AD and from ISE I can see this error.
Failure Reason
12511 Unexpectedly received TLS alert message; treating as a rejection by the client
Resolution
Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? ' When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
yeah, some of my byod devices doesn't have root certificate but it works. For clients which have the problem I tried to install my root cert to "trusted root certification authorities" it didn't help btw. I found that enable hyper-v can help and it's strange but it help. So maybe my ISE certificate for eap doesn't match with windows clients because of bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuh22029? but I don't have CN which start from *. Maybe you know can I sent root certitficate to byod or I need install it always manually?
If you expect to join unmanaged devices which don't have your private enterprise certs installed there really is no good solution - you need to use public certificates which the devices will already trust by default.
Make sure your software is up to date as per TAC recommended link below.
Did you make sure the drivers and OS were fully updated?
Assuming you did, then you'll just have to debug it on the client. If you were testing on Windows then remember Windows has a user cert store (which only applies to the logged in user) and a machine cert store (which applies to all users). If you installed the cert in a user cert store then no other user will be able to access that cert. The cert needs to be installed in the machine cert store. I'm not familiar with how other OS handle it but they might have something similar.
Are you telling the supplicant in the wireless profile to use the user/machine certificate which is issued by your internal CA? If not, Windows uses the first certificate so maybe not presenting the proper one to the RADIUS server.
Maybe I found the problem, one of my "Policy Service, pxGrid" Node has expired cert, I tried to generate CSR, but couldn't export it - becuase of error "The CSR could not be found."
<smile> step number one if you get certificate errors: check that all the certificates are, in fact, still valid. It's best practice to track all of your certificate expiry dates and make sure you start preparing for cert update 1 month before the cert expires. How you do that tracking is up to you. Some public CAs will send you reminders but otherwise you need you own system for alerting you when certs are due to expire.
It left from my colleague, so I found when I managed to see which certificate gets client and it was expired. I have two PAN and two PSN and one PAN with expired cert. now PAN it out of sync because of certificate. Maybe you know second PAN node must get master role after expiring certificate? or I need to do it manually? and second question Can I unbind expired certificate? or just choose valid certificate in ISE?
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
