Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2 EAP-TLS handshake to external RADIUS

Hi everyone!

I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2  and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).

Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:

If: Wireless_802.1X          Allow Protocols: Default Network Access          Use: RADIUS

Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.

Any help is appreciated, thanks in advance!

Everyone's tags (4)

ISE 1.2 EAP-TLS handshake to external RADIUS

In the SSID properties, please uncheck "Validate server certificate" 

New Member

ISE 1.2 EAP-TLS handshake to external RADIUS

Hi Saurav, thanks a lot for your response, excuse my ignorance but where exactly would that option be? I am checking in the WLAN section in WLC but can't find it, same within the ISE.

(No subject)

New Member

Ok so it's in the supplicant,

Ok so it's in the supplicant, doesn't that mean that it will do the EAP-TLS process without validating the certificate? neither in ISE or the external RADIUS Server?

CreatePlease login to create content