Another ISE and certificates

Unanswered Question
Oct 23rd, 2013
User Badges:

Hi,


I have an deployment, ISE 1.2, were Im trying to run EAP-TLS with computer certificates.

There is only on PKI, with a root CA and a intermediate issuing CA.


When we try to authenticate the client we get:


Event    5400 Authentication failed

Failure Reason    12508 EAP-TLS handshake failed


For troubleshooting we have tried to import root and issuing certificates from the client to ISE.

We have compared serial numbers on all certificates and  they match.

I have checked with Wireshark and I see the client present client-cert and issuing, from ISE there is client-cert, issuing and root.

I have tried to change CN to SAN to SAN DNS.


If I run user certificate from the client it works like it should, and that show me that the root and issuing certificate are ok on ISE.


Any good tip on what could be wrong?

Or maybe an example of a computer CA template that can be used for auto enrollment with AD?  :-)


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Tarik Admani Thu, 10/24/2013 - 21:30
User Badges:
  • Green, 3000 points or more

Mikael,


On the certificates you have imported you have the "trust for client authentication" checked for all certs? I cloned the default computer template for my computer certificates just to have the auto-enroll settings and that is working fine.


Thanks,

Tarik Admani
*Please rate helpful posts*

Mikael Gustafsson Fri, 10/25/2013 - 01:15
User Badges:

Hi Tarik,


The CA template I tried yesterday is used with NPS and clients.

Just now I asked the server team to make a 'plain' copy of the computer template to use and EAP-TLS authentication kicked in as it should.


So it is something with that CA template that ISE dosent like.


Thanks

Mikael Gustafsson Fri, 10/25/2013 - 10:03
User Badges:

Problem solved.



The reason ISE rejected the certificate was because an extra extension added to the certificate.


The server team added this extension to the 'Application Policy Extension' and then made it critical, they wanted to have something extra to filter on.


ISE rejected the certificate because it couldn't validate the extra extension and a critical extension has to be validated. When we removed the 'Make this Extension Critical' check mark from the certificate it worked as it should.




Cheers

blenka Tue, 10/29/2013 - 16:18
User Badges:

5400, Failed-Attempt, Authentication failed, User authentication failed. ... 44, 5412, Failed-Attempt,dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. ...... There seems to be an internal problem with the client's supplicant,

Actions

This Discussion