Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
10
Helpful
3
Replies

ISE Single SSID BYOD - Windows Endpoint user experience

rchilukuri
Level 1
Level 1

‎02-08-2014 05:57 AM - edited ‎03-10-2019 09:22 PM

We are implementing wireless BYOD using Cisco ISE 1.2 and WLC 7.4x. We are using PEAP / MS-CHAP v2 for wireless security. We are able to on-board iOS, Adroid, and MAC OS endpoints using single SSID and Native supplicant provisiong seems to work fine with these endpoints. We are having issues with Windows clients. On Windows client, when the user selects the SSID, it is prompting for userid/password, but never gets a pop-up for server certificate. We are using a third party public wildcard certificate on ISE for HTTP/EAP authentication.  On ISE, we are getting: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client.                

Labels:
0 Helpful
3 Replies 3

Aastha Chaudhary
Cisco Employee
Cisco Employee

‎02-10-2014 09:41 AM

It seems you are running into an Internal bug where PEAP/TLS authentication fails on Windows when using a Wildcard Certificate. Other devices such as Android, MAC OS etc work fine. During testing, this was found to be an issue with blank CN. Does your certificate have a blank CN field as well?

Unfortunately the bug is not resolved yet, and still being worked on.

Thanks,

Aastha

*Please rate helpful posts*

blenka
Level 3
Level 3

‎02-11-2014 11:08 AM

12511EAPUnexpectedly   received TLS alert message; treating as a rejection by the clientWhile trying to   negotiate a TLS handshake with the client, ISE received an unexpected TLS   alert message. This might be due to the supplicant not trusting the ISE   server certificate for some reason. ISE treated the unexpected message as a   sign that the client rejected the tunnel establishment.Warn
0 Helpful

Saurav Lodh
Level 7
Level 7

‎07-31-2014 06:27 PM 

<B>Symptom:</B>

Some endpoint devices (Windows OS)  have issues with wildcard cert when CN contains * (start) as wildcard

the PEAP authentication fails due to "12511 Unexpectedly received TLS alert message; treating as a rejection by the client"



<B>Conditions:</B>
when the  wildcard cert  contains  * (start) as wildcard in CN 

<B>Workaround:</B>

create wildcard with * (start)
e.g. CN= aaa.cisco.com
Customers Also Viewed These Support Documents