Cisco ISE and EAP-TLS handshake fails

hedenstam
New Contributor III

Anyone experienced problems with authenticating 802.1x with Cisco ISE ver 2.3 patch 4.
Log in ISE shows that the EAP-TLS handshake fails with the Mac.
I have in Mac the ISE server certificates trusted as well as root of ISE certificates
in ISE I have the root of Machine certificate that issues the certificates to Mac clients
Weird thing is that 802.1x authentication works in the old Cisco ISE environment ver. 2.1 patch 5.

Configuration profiles on Mac and Authentication/authorisation policies in ISE are all identical.

6 REPLIES 6

mm2270
Legendary Contributor III

Posting here to follow, because we may be experiencing the same issue. We just recently began to have serious problems with 802.1x auth at certain locales. It fails even though the certificates to connect are present and are valid. I believe Cisco ISE is being used in the locations where it's failing, but I need to verify. I wonder if the update you reference has anything to do with it. I'll ping the network guys on this and see what they say.

ejculpepper
Contributor

Was there ever a solution found for this issue @hedenstam?

I believe we are experiencing the same issue. We recently implemented ISE 2.3 for authentication and are experiencing sporadic failures around our school district with users attempting to authenticate to WiFi.

I've checked the configuration for devices that are connecting fine and ones that aren't, they all have the exact same certificates installed and trusted, some are using the same LDAP credentials as well.

hedenstam
New Contributor III

Unfortunately no. We are still seeing the same problem and are still investigating this with the network team. Now we also seeing the same behaviour with our "older" Cisco ISE envinroment.

ejculpepper
Contributor

I wanted to share my experience with this issue in regards to our iOS environment, we have not implemented ISE for our Macs yet but figured this may help out.

We recently moved from ACS to ISE 2.3.0.298 with patches 1,3,5 for AAA and were receiving intermittent connection issues with users even though they all had the same configuration installed (certificates, iOS version, profiles, etc). Several iPads authenticated fine, but the majority failed with the "EAP-TLS Handshake fail" error.

During this migration from ACS to ISE, we deployed a second wifi profile with the ACS and ISE certificates/trusts to prepare for the migration. We tested this multiple times and all seemed to work fine. It turns out that having multiple copies of our root/intermediate certificate and our old ACS certificate was causing the intermittent issues. However, we were advised we could not just remove the extra certificates from the profile as this could cause issues with connectivity even though our new wireless profile was installed.

Due to this, we were advised to create a new SSID and begin migrating all devices over. I cloned our wireless configuration profile, assigned it to several test iPads, and scoped a smart group to remove the previous wireless configuration profiles from the devices once they had the new profile.

So far, this has had 100% success rate on 3000+ devices. I will be monitoring the deployment as the profile makes its way to the rest of our devices.

andyinindy
Contributor II

Reviving this thread, as we are also seeing the TLS handshake error for some of our clients. We see these messages in the Cisco ISE logs:

FailureReason=12521 EAP-TLS failed SSL/TLS handshake after a client alert
OpenSSLErrorMessage=SSL alert: code=0x100=256

This all started for us when we deployed a new ISE cert, as our old one was expiring. We pushed the new cert chain (Root, Intermediate, and leaf) to all clients, and then reissued the SCEP profile. Most clients are able to connect fine, but some stubbornly refuse. We've tried all sorts of things, like manually editing the new ISE certs to "Always Trust". But strangely, what seems to work most consistently is putting the system on Ethernet. For whatever reason, this allows the WiFi to suddenly connect when nothing else does. We are struggling to understand this behavior.

Can anyone share notes/details on how you fixed this issue in your environment? 

Eric_SD_Wrkr
New Contributor III

Issue is occuring at my school district also. Very random it seems. Devices will just drop with that error and then after they reboot or are plugged into ethernet they start connecting again.