Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

In a distributed ISE deployment with regional intermediate CA, I am getting failed authentication due to " EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain".  Client device have only one client certificate issued from regional intermediate CA. When client device goes across the region, they can't authenticate and gets this "unknown” CA error. The admin node has certificates of all intermediate CAs and root CA.

One possible solution is to add intermediate CA certificates to all regional Node groups but apparently it is not possible on ISE policy nodes.

Have a look at the diagram below and let me know you think (Client authentication failure at both location 1 and 3).

Everyone's tags (7)
7 REPLIES

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

I think the problem is more related to your clients, have you configured all the pc's to trust at least the root ca and the ca that ise has gotten it's certificate from ?

New Member

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Thanks Jan for your reply. I have aised this to cisco TAC and the have checked all ISE config and client configs. they didn't found any configuration error. Cisco TAC has no answer to this problem yet!

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Have you installed ALL intermidiate CA certs on all your PSN's in every region ?

New Member

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Thanks Jan for reply. And short answer is Yes ....

we have identified the issue and it has been resolved now. It was down to one of the cert corruption on primary admin.

It was only identified after going to debug logs in prrt. Verification was done by export that particular cert and analyzing it. Don't know how it got corrupted but it did.

In CA cert section on primary admin node, it was displaying correct value like issue date etc but when it was exported for analysis, I couldn't open it.

So moral of the story is that the someone thought that they need to put a status field against every cert on ISE and it wasn't decided how to check its status - no offence.

New Member

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Hi ... I think i have the same problem. Could you explain what exactly the problem is comparing the certificates ? How was it fixed - didn't get that part ;-)

New Member

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Hi just wanting to clarify here that you are essentially utilising multiple issuing CAs on the one ISE deployment? If this is the case how is it configured in that I cannot seem to have multiple certs been trusted for EAP?

Distributed ISE & Distributed PKI = EAP-TLS issues ... Correct?

Stephen,

You can have as many sub-ca's or root ca's certificates in ISE as you like, and use them to validate and crl check users certs with, however the cert that ise presents to the clients during any kind of EAP negotiation, can only be one specific, which means for EAP-TLS & PEAP, you will need to have that specific root/subca cert installed on all your clients, and trust it in your supplicant settings.

1858
Views
0
Helpful
7
Replies