We are having some issues when doing eap-tls during onboarding. The setup is to have a single ssid network. Clients initially gets connected via peap and after onboarding it is eap-tls. The environment is a 2 tier CA hirearchy having a root-ca (offline) and intermediate CA (this is the AD domain enterprise CA and scep server). ISE cert was signed by the intermediate CA for https and eap. Also imported the certificate chain from the intermediate CA to ISE cert store (converted from .p7b to .der). It also has the scep RA certificate and scep communication between ise and scep server looks ok.
The issue is during the onboarding process (tested with windows xp) after the redirection to guest poral, windows SPW wizard starts and prompts to confirm the user certificate. This keeps on prompting after 'ok' is clicked and does not proceed further. The 'view certificate' shows the following error " The issuer of this ccertficate is not found". ISE shows the following errors in authentication details (jpg attached). Windows SPW logs shows that it keep on retrying authentication.
The issuer of the client cert which is the intermediate CA cert is already in the ISE certificate store. Therefore shouldn't that client get this issuer CA details from ISE and ISE should be able to authenticate client during onboarding to start the tls connection? Do we have to import seperate certs for root-ca, Intermediate ca in ise store instead of the chain?
Does anybody had this issue with ISE in a hirearchical CA environment?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...