Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISE EAP SSL/TLS Tunneling Certificates

Hi,

I am working on an ISE implementation that is going to perform authentcation accross several domains using LDAP. The domains that I have in my environment are a production and pre-production/testing domains. Currently my ISE appliances are joined to the production AD and are using certificates from the CA in our production AD. The problem I am having is I can only assign one Local Certificate for use for SSL/TLS tunneling for EAP authentcations. This means that when I try and authenticate a device that is not part of the production active directory (pre-production), using the seperate LDAP instance as an identity store, its attempting to create a tunnel using a cert that is not from the pre-production CA, and thus fails with the following error...


Authentication failed :

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

This is because the device built in pre-production does not have the production CA's as trusted entites. My question is, is it possible to define multiple certificates from seperate CA's for use for SSL/TLS tunneling?

Cheers

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ISE EAP SSL/TLS Tunneling Certificates

Evan,

Currently, this is not supported. However, 2 different enhancement request were filed to support this.

CSCua59145    ISE should support for multiple CA servers

CSCud10660    Multiple Subordinate CA in ISE for EAP Authentication

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
4 REPLIES
Community Member

ISE EAP SSL/TLS Tunneling Certificates

Hello,

This error means that the supplicant does not trust the ISE PSN certificate.

Resolution:

Check whether the proper server certificate is installed and configured for EAP

by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ).

Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more

information.

Cisco Employee

ISE EAP SSL/TLS Tunneling Certificates

Evan,

Currently, this is not supported. However, 2 different enhancement request were filed to support this.

CSCua59145    ISE should support for multiple CA servers

CSCud10660    Multiple Subordinate CA in ISE for EAP Authentication

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Community Member

ISE EAP SSL/TLS Tunneling Certificates

Thanks for your response Jatin.

How likely is it that these features will be implemented in the uncoming 1.2 release of the ISE product?

Community Member

ISE EAP SSL/TLS Tunneling Certificates

Hi Jatin,

I cannot view the first bug, i can view the second ok. Does this affect all subordinate CA servers, as in using a subordinate CA will not work at all?

I am using a sub CA and keep getting the prompt from an IPAD "The SCEP server returned an invalid response" not sure if this is related to the above bugs or not.

1371
Views
0
Helpful
4
Replies
CreatePlease to create content