Symptoms or Issue

User authentication is failing on the client machine, and the user is receiving a "RADIUS Access-Reject" form of message.

Conditions

(This issue occurs with authentication protocols that require certificate validation.)

Possible Authentications report failure reasons:

•"Authentication failed: 11514 Unexpectedly received empty TLS message; treating as a rejection by the client"

•"Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate"

Click the magnifying glass icon from Authentications to display the following output in the Authentication Report:

•12305 Prepared EAP-Request with another PEAP challenge

•11006 Returned RADIUS Access-Challenge

•11001 Received RADIUS Access-Request

•11018 RADIUS is re-using an existing session

•12304 Extracted EAP-Response containing PEAP challenge-response

•11514 Unexpectedly received empty TLS message; treating as a rejection by the client

•12512 Treat the unexpected TLS acknowledge message as a rejection from the client

•11504 Prepared EAP-Failure

•11003 Returned RADIUS Access-Reject

•11006 Returned RADIUS Access-Challenge

•11001 Received RADIUS Access-Request

•11018 RADIUS is re-using an existing session

•12104 Extracted EAP-Response containing EAP-FAST challenge-response

•12815 Extracted TLS Alert message

•12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate

•11504 Prepared EAP-Failure

•11003 Returned RADIUS Access-Reject

Note This is an indication that the client does not have or does not trust the Cisco ISE certificates.

Possible Causes

The supplicant or client machine is not accepting the certificate from Cisco ISE.

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

Resolution

The client machine must accept the Cisco ISE certificate to enable authentication.