Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

Hello,

Has anyone come across this error code before?  I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:

Error Code.png

I setup 7925 phones for EAP-TLS using MIC.  I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication".  A Certificate Profile is configured matching Common Name and is added to the Identity Sequence.    I got some additional attribute information, where there is a error message:

OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"

Other Attributes.png

Anyone know what this error means?

  • AAA Identity and NAC
20 REPLIES

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Kyle,

If you are trying to authenticate Cisco phones, can you do me a favor and connect to the phone's https interface (see if you get any errors to see if the cert is corrupt), once you get the certificate warning can you export the phone's certificate using your browser. Once you export the certs you can view the chain and then export the root certificate (if any intermediate certs exist pull them too). You can view the certificate path, double click on the certificate you want to export and the copy to file and that will export the correct certificate.

Then replace the certificates you uploaded and test again.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshak

The certificates on the phone appear to be in good order.  The Root and Manufacturing root certificates on the phone are identical to the ones installed in ISE.  Could it somehow be failing on the local Self-Signed certificate?

12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800  Extracted first TLS record; TLS handshake started
12805  Extracted TLS ClientHello message
12806  Prepared TLS ServerHello message
12807  Prepared TLS Certificate message
12809  Prepared TLS CertificateRequest message
12505  Prepared EAP-Request with another EAP-TLS challenge
11006  Returned RADIUS Access-Challenge
11001  Received RADIUS Access-Request
11018  RADIUS is re-using an existing session
12504  Extracted EAP-Response containing EAP-TLS challenge-response
12815  Extracted TLS Alert message
12521  EAP-TLS failed SSL/TLS handshake after a client alert
12507  EAP-TLS authentication failed
11504  Prepared EAP-Failure
11003  Returned RADIUS Access-Reject

      

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Yes,

That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129

Installing the Authentication Server Root Certificate

The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.

To install the certificate, follow these steps:


Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.

Step 2 Go to the phone web page and choose Certificates.

Step 3 Click Import next to the Authentication Server Root certificate.

Step 4 Restart the phone.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Tarik,

I have exactly the same problem. EAP/TLS failed between 7925G and ISE 1.1.1. I could not solve it with the above propsed solution.

Any other idea?

New Member

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Wim,

I opened a TAC case for this a month and a half ago and I do not have a solution yet.  I was promised an answer by end of this week.  I will post the solution once I have it.

Kyle

New Member

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Kyle,

Very interesting. Thanks for the info. Looking forward to the result of your case.

best regards,

-wim-

New Member

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Did you ever get a resolution to this? I am about to start working on this exact thing.

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

I have seen this issue when you decide not to validate the server side certificate in the phone settings. Seems like it still wants to trust the server side cert anyways.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake af

Hi,

i have the same problem. Any updates on this one?

@tarik: please note the 7925 admin guide Table 4-3. "Validate Server Certificate. Note: Applies to PEAP only."

source: http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/administration/guide/7925cfgu.html#wp1361939

So server certificate is always being validated when using EAP-TLS. I think the web gui shouldn't show this option when EAP-TLS is selected.

Anyway, how to solve the problem? Opening of TAC recommended/required?

5712
Views
0
Helpful
20
Replies
This widget could not be displayed.