Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISE Web UI client certificate issue

I recently switched the authentication type from password based to client certificate based.  I setup the Certificate Authentication Profile, Identity Source and imported the active directory groups I was attempting to use.  Once I restarted the application I can no longer access the web ui.

When I attempt to access the web ui I'm prompted for my certificate which I supply and then I get an authentication failure message.  I was reading online and someone suggested using the CLI and issuing the following command: application start ise safe

This command restarted the application but when I attempted to login afterwards the page prompted me for certificates again but didn't display anything.

Is there anything I can do to remedy this issue or do I need to start over.

Thanks!

6 REPLIES
Cisco Employee

ISE Web UI client certificate issue

Community Member

ISE Web UI client certificate issue

I'm using IE 10 and Firefox 24.

I ended up just starting from scratch as I was completely unable to access the admin ui after having improperly set the certificate authentication.  Ultimately I'll have to attempt to enable this feature again.

There has to be a way to allow both certificate based authentication and local user admin access.  It would also be surprising if you're unable to reset the admin ui after a misconfiguration.

If anyone has any advice it would be much appreciated.

Bronze

ISE Web UI client certificate issue

Please check the below guide for step by step configuration of Certificate:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

Community Member

I've had a couple TAC cases

I've had a couple TAC cases open on this and still haven't figured out the issue.  I'm unable to regain access to the admin gui even though a safe start is supposed to work.  Apparently their is an open bug:

https://tools.cisco.com/bugsearch/bug/CSCun74285/?reffering_site=dumpcr

 

 

Community Member

Hi Cole,Same here...  mine is

Hi Cole,

Same here...  mine is 1.2.0.899 with Patch 7...  The command is simple but I cannot believe there is a bug on it...  hopeless

Anyway, thanks for your update.

Community Member

I think we've finally

I think we've finally discovered all the issues

 

Problem #1:  CAC enabled Admin Access fails

Solutions:  In our deployment we have domain controllers that are internal to our network and then we have DC's that reside outside of the firewall.  I incorrectly assumed that ISE would work in conjunction with sites and services.  ISE instead chooses which DC it's going to authenticate off by doing a simple DNS lookup, in our case ISE would attempt to communicate to DC's that were external which would then be filtered by the firewall.  I'm still working with TAC to solve this issue which may include modifying the hosts file.

 

Problem #2: Unable to recover from failed CAC enable

Solution:  You're supposed to be able to access the CLI and issue a safe start to recover from this issue.  It currently doesn't work and is a known bug:

https://tools.cisco.com/bugsearch/bug/CSCun74285/?reffering_site=dumpcr

 

I hope others benefit from these struggles....it was very painful.

 

 

257
Views
0
Helpful
6
Replies
CreatePlease to create content