Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5125
Views
3
Helpful
4
Replies

Another ISE and certificates

Mikael Gustafsson
Level 5
Level 5

‎10-23-2013 05:34 AM - edited ‎03-10-2019 09:01 PM

Hi,

I have an deployment, ISE 1.2, were Im trying to run EAP-TLS with computer certificates.

There is only on PKI, with a root CA and a intermediate issuing CA.

When we try to authenticate the client we get:

Event    5400 Authentication failed

Failure Reason    12508 EAP-TLS handshake failed

For troubleshooting we have tried to import root and issuing certificates from the client to ISE.

We have compared serial numbers on all certificates and  they match.

I have checked with Wireshark and I see the client present client-cert and issuing, from ISE there is client-cert, issuing and root.

I have tried to change CN to SAN to SAN DNS.

If I run user certificate from the client it works like it should, and that show me that the root and issuing certificate are ok on ISE.

Any good tip on what could be wrong?

Or maybe an example of a computer CA template that can be used for auto enrollment with AD?  :-)

Regards

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎10-24-2013 09:30 PM

Mikael,

On the certificates you have imported you have the "trust for client authentication" checked for all certs? I cloned the default computer template for my computer certificates just to have the auto-enroll settings and that is working fine.

Thanks,

Tarik Admani
*Please rate helpful posts*

Mikael Gustafsson
Level 5
Level 5
In response to Tarik Admani

‎10-25-2013 01:15 AM

Hi Tarik,

The CA template I tried yesterday is used with NPS and clients.

Just now I asked the server team to make a 'plain' copy of the computer template to use and EAP-TLS authentication kicked in as it should.

So it is something with that CA template that ISE dosent like.

Thanks

0 Helpful

Mikael Gustafsson
Level 5
Level 5

‎10-25-2013 10:03 AM

Problem solved.

The reason ISE rejected the certificate was because an extra extension added to the certificate.

The server team added this extension to the 'Application Policy Extension' and then made it critical, they wanted to have something extra to filter on.

ISE rejected the certificate because it couldn't validate the extra extension and a critical extension has to be validated. When we removed the 'Make this Extension Critical' check mark from the certificate it worked as it should.

Cheers

0 Helpful

blenka
Level 3
Level 3

‎10-29-2013 04:18 PM

5400, Failed-Attempt, Authentication failed, User authentication failed. ... 44, 5412, Failed-Attempt,dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. ...... There seems to be an internal problem with the client's supplicant,

0 Helpful
Customers Also Viewed These Support Documents