Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Single SSID BYOD - Windows Endpoint user experience

We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication.  On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.                

3 REPLIES
Cisco Employee

ISE Single SSID BYOD - Windows Endpoint user experience

It seems you are running into an Internal bug where PEAP/TLS authentication fails on Windows when using a Wildcard Certificate. Other devices such as Android, MAC OS etc work fine. During testing, this was found to be an issue with blank CN. Does your certificate have a blank CN field as well?

Unfortunately the bug is not resolved yet, and still being worked on.

Thanks,

Aastha

*Please rate helpful posts*

New Member

ISE Single SSID BYOD - Windows Endpoint user experience

12511EAPUnexpectedly   received TLS alert message; treating as a rejection by the clientWhile trying to   negotiate a TLS handshake with the client, ISE received an unexpected TLS   alert message. This might be due to the supplicant not trusting the ISE   server certificate for some reason. ISE treated the unexpected message as a   sign that the client rejected the tunnel establishment.Warn

<B>Symptom:</B>

<B>Symptom:</B>

Some endpoint devices (Windows OS)  have issues with wildcard cert when CN contains * (start) as wildcard

the PEAP authentication fails due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the client"



<B>Conditions:</B>
when the  wildcard cert  contains  * (start) as wildcard in CN 

<B>Workaround:</B>

create wildcard with * (start)
e.g. CN= aaa.cisco.com
374
Views
0
Helpful
3
Replies