Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Another ISE and certificates


I have an deployment, ISE 1.2, were Im trying to run EAP-TLS with computer certificates.

There is only on PKI, with a root CA and a intermediate issuing CA.

When we try to authenticate the client we get:

Event    5400 Authentication failed

Failure Reason    12508 EAP-TLS handshake failed

For troubleshooting we have tried to import root and issuing certificates from the client to ISE.

We have compared serial numbers on all certificates and  they match.

I have checked with Wireshark and I see the client present client-cert and issuing, from ISE there is client-cert, issuing and root.

I have tried to change CN to SAN to SAN DNS.

If I run user certificate from the client it works like it should, and that show me that the root and issuing certificate are ok on ISE.

Any good tip on what could be wrong?

Or maybe an example of a computer CA template that can be used for auto enrollment with AD?  :-)


Everyone's tags (2)

Another ISE and certificates


On the certificates you have imported you have the "trust for client authentication" checked for all certs? I cloned the default computer template for my computer certificates just to have the auto-enroll settings and that is working fine.


Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Community Member

Another ISE and certificates

Hi Tarik,

The CA template I tried yesterday is used with NPS and clients.

Just now I asked the server team to make a 'plain' copy of the computer template to use and EAP-TLS authentication kicked in as it should.

So it is something with that CA template that ISE dosent like.


Community Member

Another ISE and certificates

Problem solved.

The reason ISE rejected the certificate was because an extra extension added to the certificate.

The server team added this extension to the 'Application Policy Extension' and then made it critical, they wanted to have something extra to filter on.

ISE rejected the certificate because it couldn't validate the extra extension and a critical extension has to be validated. When we removed the 'Make this Extension Critical' check mark from the certificate it worked as it should.


Community Member

Another ISE and certificates

5400, Failed-Attempt, Authentication failed, User authentication failed. ... 44, 5412, Failed-Attempt,dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. ...... There seems to be an internal problem with the client's supplicant,

CreatePlease to create content