cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4821
Views
5
Helpful
10
Replies

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

yongwli
Cisco Employee
Cisco Employee

Hi Experts,

  1. Using windowns 802.1x suppliant in Cisco switch and Cisco wireless scenario. It works fine.
  2. Using Anyconnect NAM, it can work in Wireless scenario but failed in wired scenario.
  3. Using Anyconnect NAM with Cisco switch. User CAN NOT  login. ISE log said “12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate“.  no any invalide certificate waring message popped up.

ISE version is 2.3.0.298 , anyconnect version is 4.6.01098 pre-deploy package and we tried 4.5.05030. We tried in two win7 and one win10, same issue.

Any suggestion will be very appreciated!

Thanks

DL

1 Accepted Solution

Accepted Solutions

Nidhi
Cisco Employee
Cisco Employee

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

View solution in original post

10 Replies 10

Nidhi
Cisco Employee
Cisco Employee

My initial analysis  would be to check the configuration file using profile editor and make sure you have the appropriate settings. Can you please attach the configuration file which I can check  ? also , Please raise a TAC case to troubleshoot .

Thanks,

Nidhi

hslai
Cisco Employee
Cisco Employee

Adding to Nidhi... please check whether the option enabled [ V ] Validate Server Identity

Screen Shot 2018-06-13 at 7.26.32 PM.png

wenzeng
Cisco Employee
Cisco Employee

Hi hslai,

   I created a NAM.xml profile for anyconnect . It should put in %ProgramData%\Cisco\
Cisco AnyConnect Secure Mobility Client\NetworkAccessManager\newConfigFiles, right? And what name should it change to for AnyConnect can recognize and use it?

BR,

Alex

Nidhi
Cisco Employee
Cisco Employee

You will have to rename it to configuration.xml and put it in c:/program data/cisco/cisco Anyconect secure mobility client/network access manager  . and reinitialize the connection.

Thanks,

Nidhi

Nidhi
Cisco Employee
Cisco Employee

Forgot to mention that Program data should be a hidden folder . So please change the settings to view the advance folder .

hslai
Cisco Employee
Cisco Employee

With %programdata% in the address bar of the windows explorer would also take us there.

Screen Shot 2018-06-14 at 8.40.46 AM.png

Hi hslai
I am having same issue and same error message. ISE 2.3.0298 with our internal MS PKI cert. Do you mind advise how did you fix it? Best regards. Richard

Hello Nidihi

I am having same issue and error message.

My client configuration file on Win7 is one more sub-folder:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network
Access Manager\system\configuration.xml

Is the above path correct?

BTW, the sub-folder \newConfigFiles is empty.

Please advise which folder the client configuration file should be. 

Thanks.

 

Richard

yongwli
Cisco Employee
Cisco Employee

Creating a NAM profile and disable server validation in the profile.

i had the same problem & exactly the same massage and when i disable server validation identity check box it works immediately and work fine.
Thanks alot
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: