Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

Hi guys,

 

I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.

I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

 

 

 

7 REPLIES
Cisco Employee

So the client is not liking

So the client is not liking something about the certificate/certificate setup. Can you tell us:

1. What version and patch of ISE you are running

2. What type of authentication you are trying to do (PEAP, EAP-TLS, etc)

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

Hi Neno, I am running V1.2.0

Hi Neno,

 

I am running V1.2.0.899

 

any advice ? thanks in advance

Cisco Employee

Can you post screenshots of

Can you post screenshots of of the supplicants configuration screens?

Thank you for rating helpful posts!
Cisco Employee

Refer the link for

Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

New Member

I checked it, but what is

I checked it, but what is described as solution has already been done in my case the issue is still there.

Cisco Employee

I know that this thread is

I know that this thread is old but were you able to resolve this issue?

Thank you for rating helpful posts!

I was getting today the same

I was getting today the same ISE authentication error when connecting Blackberry devices into the WiFi using EAP-TLS for which I have an Entrust signed cert installed on ISE running both services PEAP + EAP-TLS.

After multiple troubleshooting we found the following:

-The Entrust L1K intermediate cert (part of the ISE Cert chain) is not included into the BB, IPAD, Android, Win, etc CA Trusted list that comes by default with their respective OS. 

-The Entrust Root CA G2 that comes with the Blackberry OS looks like it was corrupted.

Solution

Using BB BES 12 we created a profile and pushed the Entrust L1K Cert into the BB Device Internal CA Trusted List (added it) and overwrote the Entrust G2 as well.

When I initially added the L1K and tested it, I was still getting the error message on ISE so I found the following link that gave me the idea to overwrite the default Entrust Root CA G2.

http://support.blackberry.com/kb/articleDetail?ArticleNumber=000036357

848
Views
0
Helpful
7
Replies
CreatePlease login to create content