Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6587
Views
0
Helpful
7
Replies

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

bmwstoof1
Level 1
Level 1

‎11-12-2014 06:51 AM - edited ‎03-10-2019 10:10 PM

Hi guys,

 

I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.

I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

 

 

 

1 person had this problem
Labels:
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎11-13-2014 08:10 AM

So the client is not liking something about the certificate/certificate setup. Can you tell us:

1. What version and patch of ISE you are running

2. What type of authentication you are trying to do (PEAP, EAP-TLS, etc)

 

Thank you for rating helpful posts!

0 Helpful

bmwstoof1
Level 1
Level 1
In response to nspasov

‎11-18-2014 12:35 AM

Hi Neno,

 

I am running V1.2.0.899

 

any advice ? thanks in advance

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to bmwstoof1

‎11-18-2014 09:10 AM

Can you post screenshots of of the supplicants configuration screens?

0 Helpful

mohanak
Cisco Employee
Cisco Employee

‎11-13-2014 09:10 AM

Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

0 Helpful

bmwstoof1
Level 1
Level 1
In response to mohanak

‎11-18-2014 12:36 AM

I checked it, but what is described as solution has already been done in my case the issue is still there.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to bmwstoof1

‎02-19-2016 09:00 PM

I know that this thread is old but were you able to resolve this issue?

0 Helpful

ajc
Level 7
Level 7
In response to bmwstoof1

‎08-24-2016 12:28 PM

I was getting today the same ISE authentication error when connecting Blackberry devices into the WiFi using EAP-TLS for which I have an Entrust signed cert installed on ISE running both services PEAP + EAP-TLS.

After multiple troubleshooting we found the following:

-The Entrust L1K intermediate cert (part of the ISE Cert chain) is not included into the BB, IPAD, Android, Win, etc CA Trusted list that comes by default with their respective OS. 

-The Entrust Root CA G2 that comes with the Blackberry OS looks like it was corrupted.

Solution

Using BB BES 12 we created a profile and pushed the Entrust L1K Cert into the BB Device Internal CA Trusted List (added it) and overwrote the Entrust G2 as well.

When I initially added the L1K and tested it, I was still getting the error message on ISE so I found the following link that gave me the idea to overwrite the default Entrust Root CA G2.

http://support.blackberry.com/kb/articleDetail?ArticleNumber=000036357

0 Helpful
Customers Also Viewed These Support Documents