Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3883
Views
0
Helpful
4
Replies

ISE EAP SSL/TLS Tunneling Certificates

Go to solution
evanspall
Level 1
Level 1

‎07-16-2013 07:53 PM - edited ‎03-10-2019 08:39 PM

Hi,

I am working on an ISE implementation that is going to perform authentcation accross several domains using LDAP. The domains that I have in my environment are a production and pre-production/testing domains. Currently my ISE appliances are joined to the production AD and are using certificates from the CA in our production AD. The problem I am having is I can only assign one Local Certificate for use for SSL/TLS tunneling for EAP authentcations. This means that when I try and authenticate a device that is not part of the production active directory (pre-production), using the seperate LDAP instance as an identity store, its attempting to create a tunnel using a cert that is not from the pre-production CA, and thus fails with the following error...


Authentication failed :

12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

This is because the device built in pre-production does not have the production CA's as trusted entites. My question is, is it possible to define multiple certificates from seperate CA's for use for SSL/TLS tunneling?

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to mmangat

‎07-17-2013 02:40 AM

Evan,

Currently, this is not supported. However, 2 different enhancement request were filed to support this.

CSCua59145    ISE should support for multiple CA servers

CSCud10660    Multiple Subordinate CA in ISE for EAP Authentication

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mmangat
Level 1
Level 1

‎07-16-2013 09:25 PM

Hello,

This error means that the supplicant does not trust the ISE PSN certificate.

Resolution:

Check whether the proper server certificate is installed and configured for EAP

by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ).

Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more

information.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to mmangat

‎07-17-2013 02:40 AM

Evan,

Currently, this is not supported. However, 2 different enhancement request were filed to support this.

CSCua59145    ISE should support for multiple CA servers

CSCud10660    Multiple Subordinate CA in ISE for EAP Authentication

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Go to solution
evanspall
Level 1
Level 1
In response to Jatin Katyal

‎07-17-2013 03:38 PM

Thanks for your response Jatin.

How likely is it that these features will be implemented in the uncoming 1.2 release of the ISE product?

0 Helpful

Go to solution
Brian McPhillips
Level 1
Level 1
In response to Jatin Katyal

‎08-20-2013 02:15 AM

Hi Jatin,

I cannot view the first bug, i can view the second ok. Does this affect all subordinate CA servers, as in using a subordinate CA will not work at all?

I am using a sub CA and keep getting the prompt from an IPAD "The SCEP server returned an invalid response" not sure if this is related to the above bugs or not.

0 Helpful
Customers Also Viewed These Support Documents