×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE Web UI client certificate issue

Unanswered Question
Oct 23rd, 2013
User Badges:

I recently switched the authentication type from password based to client certificate based.  I setup the Certificate Authentication Profile, Identity Source and imported the active directory groups I was attempting to use.  Once I restarted the application I can no longer access the web ui.


When I attempt to access the web ui I'm prompted for my certificate which I supply and then I get an authentication failure message.  I was reading online and someone suggested using the CLI and issuing the following command: application start ise safe


This command restarted the application but when I attempted to login afterwards the page prompted me for certificates again but didn't display anything.


Is there anything I can do to remedy this issue or do I need to start over.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Cole Courtney Tue, 10/29/2013 - 08:39
User Badges:

I'm using IE 10 and Firefox 24.


I ended up just starting from scratch as I was completely unable to access the admin ui after having improperly set the certificate authentication.  Ultimately I'll have to attempt to enable this feature again.


There has to be a way to allow both certificate based authentication and local user admin access.  It would also be surprising if you're unable to reset the admin ui after a misconfiguration.


If anyone has any advice it would be much appreciated.

terry.tam Tue, 04/08/2014 - 10:17
User Badges:

Hi Cole,

Same here...  mine is 1.2.0.899 with Patch 7...  The command is simple but I cannot believe there is a bug on it...  hopeless

Anyway, thanks for your update.

Cole Courtney Mon, 04/14/2014 - 12:50
User Badges:

I think we've finally discovered all the issues

 

Problem #1:  CAC enabled Admin Access fails

Solutions:  In our deployment we have domain controllers that are internal to our network and then we have DC's that reside outside of the firewall.  I incorrectly assumed that ISE would work in conjunction with sites and services.  ISE instead chooses which DC it's going to authenticate off by doing a simple DNS lookup, in our case ISE would attempt to communicate to DC's that were external which would then be filtered by the firewall.  I'm still working with TAC to solve this issue which may include modifying the hosts file.

 

Problem #2: Unable to recover from failed CAC enable

Solution:  You're supposed to be able to access the CLI and issue a safe start to recover from this issue.  It currently doesn't work and is a known bug:

https://tools.cisco.com/bugsearch/bug/CSCun74285/?reffering_site=dumpcr

 

I hope others benefit from these struggles....it was very painful.

 

 

Actions

This Discussion