Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2026
Views
4
Helpful
2
Replies

wireless Authentication problem in ISE version 2.0.0.306

mostafashoaei
Level 1
Level 1

‎03-06-2017 01:27 AM

Hi guys,

I had a Cisco ISE 2.0.0.306,

I config authentication on wired and wireless, wired authentication works exactly, however wireless authentication gave following problem:

Failure Reason:  12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

Resolution:      Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

Root cause:     PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate

I have been attached screen shot of error, please attention to it.

note: I have run a new version of Cisco ISE(2.2.0.470) and works exactly.

both of ISE have same configuration.

I have changed the certificates of ISE but it doesn't work still.

Can you tel me, whether this is a bug in this version?

please help me,

Thanks a lot

Preview file
110 KB
2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎03-06-2017 09:51 AM

99% of the time this is because the endpoint does not trust the certificate provided by ISE. This is because you are

1) using a self-signed certificate or

2) the endpoint does not trust one of the signers in the certificate chain

Either you are not using a public CA to sign the ISE certificate or the wireless endpoint does not have your enterprise CA certificate installed in its trust store.

I recommend asking questions about ISE in the Identity Services Engine (ISE) group unless you are asking about APIs which is more appropriate for DevNet.

mostafashoaei
Level 1
Level 1
In response to thomas

‎03-06-2017 09:40 PM

Hi dear Thomas

I've checked certificate, Certificate of ISE signed by my domain.

I've imported root CA of domain on the client as trusted certificate.

note: I have another ISE(2.2) with same config, it works fine without any problem, but I have issue in this version.

I asked this question on Identity services engine (ISE) now. https://communities.cisco.com/message/248335#248335

thanks a lot for your answer.

0 Helpful
Customers Also Viewed These Support Documents