Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1646
Views
0
Helpful
5
Replies

ISE-Peap

Go to solution
edondurguti
Level 4
Level 4

‎08-22-2012 08:30 PM - edited ‎03-10-2019 07:27 PM

Hi

I'm rolling out!

I have seen couple of people with win7 cannot authenticate to ISE:

12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.

I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?

OR:

If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.

I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.

Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?


Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-23-2012 10:58 AM

Leap will not support machine authentication if you decide to go that route. It would be best to use a 3rd party cert, if you plan on using BYOD then use the IOS release notes from apple to see which root CA comes pre installed:

http://support.apple.com/kb/HT5012

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-22-2012 10:05 PM

Hi,

If the clients are your domain users, i would suggest using autoenrollment or a GPO to push out your internal root CA if you have a PKI environment.

If you dont have one it is pretty simple and forward to setup. There are plenty of technet documentation that will walk you through it.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4

‎08-22-2012 10:15 PM

I dont have one and the situation is where i cant get one. Would Leap be a problem. Would 3rd party certs solve the problem. Cuz my company doesnt want a ca server and i will not try to convince them lol

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-23-2012 10:58 AM

Leap will not support machine authentication if you decide to go that route. It would be best to use a 3rd party cert, if you plan on using BYOD then use the IOS release notes from apple to see which root CA comes pre installed:

http://support.apple.com/kb/HT5012

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Tarik Admani

‎08-23-2012 12:51 PM

Thanks,

I will most likey go with 3rd party cert, go daddy is supported by IOS (given the link you provided).

I will only need one cert for the primary fqdn node right?

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to edondurguti

‎08-23-2012 02:41 PM

There is a bug in ISE that doesnt allow you to use the same certificate for the eap interface (since you can designate which cert you want for either https or eap). You should be able to present the same cert for eap purposes across your radius servers. In the end you will need a cert for each of your policy service nodes.

Tried to find the bug (but the toolkit isnt working for me).

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents