5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

Configure EAP-TLS Authentication with ISE

Updated: October 17, 2019 Document ID: 214975

Contents

Introduction
Prerequisites
Requirements
Components Used
Configure
Obtain Server & Client Certificates
Step 1. Generate Certificate Signing Request (CSR) from ISE.
Step 2. Import CA Certificates into ISE.
Step 3. Obtain Client Certificate for Endpoint.
Network Devices
Step 4. Add the Network Access Device (NAD) in ISE
Policy Elements
Step 5. Using External Identity Source.
Step 6. Create the Certificate Authentication Profile.
Step 7. Add to an Identity Source Sequence.
Step 8. Define the Allowed Protocols Service.
Step 9. Create the Authorization Profile.
Security Policies
Step 10. Create the Policy Set.
Step 11. Create an Authentication Policy.
Step 12. Create the Authorization Policy.
Verify
Troubleshoot
Common Issues and Techniques to Troubleshoot
Related Information

Introduction
This document describes the initial configuration as an example to introduce EAP-TLS Authentication with
Identity Services Engine (ISE).  The main focus is on the ISE configuration which can be applied to
multiple scenarios, such as (but not limited to) authentication with an IP-Phone / Endpoint connected via
Wired or Wireless.
For the scope of this guide, important to understand the following phases of the ISE (Radius)
Authentication flow:

Authentication - Identify and validate the end-identity (machine, user, etc.) that is requesting network
access.
Authorization - Determine what permissions/access the end-identity will be granted on the network.
Accounting - Reporting and tracking of the end-identity's network activity after network access is
achieved.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 1/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

Prerequisites

Requirements
Recommend to have knowledge on these topics:

Basic understanding of EAP and Radius communications flow.

Basic Radius Authentication knowledge with certificate-based authentication methods in terms of the
communication flow.
Understanding of the differences between Dot1x and MAB.
Basic understanding of Public Key Infrastructure (PKI).
Familiarity with obtaining signed certificates from a Certificate Authority (CA) and manage certificates
on the endpoint(s).
Configuration of AAA (Radius) related settings on a network device (Wired or Wireless)
Configuration of Supplicant (on Endpoint) for use with Radius/802.1x.

Components Used
The information in this document is based on these software and hardware versions:

Identity Services Engine (ISE) Release 2.x

Certificate Authority (CA) -- to issue certificates (can be Enterprise CA, 3rd Party / Public CA, or use )
Active Directory (external identity source) from Windows Server; where compatible with ISE.
Network Access Device (NAD) -- can be Switch (Wired) or (Wireless) configured for 802.1x / AAA
Endpoint: certificates issued to the (user) identity and supplicant configuration which will be
authenticated for network access via Radius/802.1x: User Authentication.  It is possible to get a
machine certificate but not used in this example.

Note: Since this guide uses ISE 2.3 then all documentation references will be based on this
version.  However, the same/similar information can be found by referenced by substituting a
different ISE version on the same document type and can be accessed from Cisco Identity Services
Engine (ISE) > Install and Upgrade Guides

The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, ensure
that you understand the potential impact of any command.

Configure

Obtain Server & Client Certificates

Step 1. Generate Certificate Signing Request (CSR) from ISE.

The first step is to generate a CSR from ISE and submit it to the Certificate Authority [server] in order to
obtain the signed certificate issued to ISE, as a System Certificate.  This certificate will be presented as a
Server Certificate by ISE during EAP-TLS authentication.   This is performed in ISE GUI, navigate to
Administration > System: Certificates > Certificate Management, and then under Certificate Signing
Requests click on Generate Certificate Signing Requests (CSR), as shown in the image.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 2/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

Certificate types require different extended key usages. This list outlines which extended key usages are
required for each certificate type:
ISE Identity Certificates

Multi-Use (Admin, EAP, Portal, pxGrid) - Client and Server Authentication

Admin - Server Authentication
EAP Authentication - Server Authentication
Portal - Server Authentication
pxGrid - Client and Server Authentication
SAML - SAML Signing Certificate

More information regarding certificates for use with ISE can be found in:  

Step 2. Import CA Certificates into ISE.

After the Certificate Authority returns the signed certificate will also include the full CA Chain comprised
of a Root certificate and one/multiple Intermediary Certificates. The following steps are the best way to
import the CA certificates and the system certificate into ISE:

1. In order to import the Root certificate into ISE GUI, navigate to Administration > System:
Certificates > Certificate Management, under Trusted Certificates click on Import, and select the
certificate usages Trust for authentication within ISE (Infrastructure) and Trust for client
authentication and Syslog (Endpoints)

2. Repeat the previous step for each Intermediary Certificate(s) as part of the CA certificate chain.

3. Once all certificates as part of the full CA chain is imported into Trusted Certificates store in ISE then
return to ISE GUI and navigate to Administration > System: Certificates > Certificate Management:
Certificate Signing Requests, locate the CSR under Friendly Name that corresponds to the signed
certificate and select the certificate then click on Bind Certificate.

4. On the next page, click on Browse and select the signed certificate file, define a desired Friendly
Name, and select the Certificate Usage(s). Submit to save changes.

5. At this time, the signed certificate should now be moved to the ISE GUI and navigate to
Administration > System: Certificates > Certificate Management: System Certificates and assigned
to the same node in which the CSR was created for. Repeat the same process for other nodes and/or
other certificate usages.

Step 3. Obtain Client Certificate for Endpoint.

It is required to navigate through a similar process on the endpoint for the creation of a client certificate
for use with EAP-TLS. For this example, you need a client certificate signed and issued to the user
account to perform User Authentication with ISE. An example of obtaining a client certificate for the
endpoint from an Active Directory environment can be found in: Understand and configure EAP-TLS using
WLC and ISE > Configure > Client for EAP-TLS
Due to the multiple types of endpoints and operating systems, as the process can be somewhat different,
additional examples are not provided. However, the overall process is conceptually the same. Generate a
Certificate Signing Request which has all the relevant information that should be included in the certificate

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 3/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

and have it signed by the Certificate Authority, whether that is an internal server in the environment or a
public/third-party company that provides this type of service.
Furthermore, the Common Name (CN) and Subject Alternative Name (SAN) certificate fields should
include the identity in which to use during the authentication flow. This also dictates how the supplicant
should be configured for EAP-TLS in terms of the identity: Machine and/or User Authentication, Machine
Authentication, or User Authentication. This example uses only User Authentication in the rest of this
document.

Network Devices
Step 4. Add the Network Access Device (NAD) in ISE

Network Access Device (NAD) that an endpoint is connected to is also configured in ISE so that
Radius/TACACS+ (Device Admin) communication can take place. Between the NAD and ISE, a shared
secret/password is used for trust purposes.  
In order to add a NAD via ISE GUI, navigate to Administration > Network Resources > Network Devices
> Network Devices and click on Add, which is shown here in the image.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 4/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

More information can be found in Cisco Identity Services Engine Administrator Guide, Release 2.3 >
Chapter: Manage Network Devices > Create a Network Device Definition in Cisco ISE
At this time, if you have not done so already, you need to configure all AAA related settings on the
network device to authenticate and authorize with Cisco ISE.

Policy Elements
These settings are elements that end up binding to either the Authentication Policy or Authorization
Policy.  In this guide, primarily each policy element is built then is bonded into the policy. It is important to
understand that the setting is not in effect until the binding to the Authentication / Authorization Policy is
completed.
More information regarding the policy elements can be found in Cisco Identity Services Engine
Administrator Guide, Release 2.3 > Chapter: Configure and Manage Policies

Step 5. Using External Identity Source.

An External Identity Source is simply a source where the end-identity (machine or user) account resides
that is used during the ISE Authentication phase.  Active Directory is typically used to support Machine
Authentication against the computer account and/or User Authentication against the end-user account in
Active Directory (AD). The Internal Endpoints (internal) source does not store the computer
account/hostname, therefore, it cannot be used with machine authentication.
Shown here are the supported identity sources with ISE and protocols (authentication type) that can be
used with each identity source:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 5/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

More information can be found in the Cisco Identity Services Engine Administrator Guide, Release 2.3 >
Chapter: Manage Users and External Identity Sources > Internal and External Identity Sources
Add Active Directory Security Groups to ISE
In order to use Active Directory (AD) security groups in ISE Policies, you must first add the group into the
Active Directory join point.
-- from ISE GUI: Administration > Identity Management: Active Directory > {select AD instance name /
join point} > tab: Groups > Add > Select Groups From Directory
For more information and requirements to integrate Identity Services Engine (ISE) with Active Directory
(AD), please review this document in full: Active Directory Integration with Cisco ISE 2.x

Note: Same action is applicable to add security groups to an LDAP instance. From ISE GUI:
Administration > Identity Management: External Identity Sources > LDAP > {select LDAP instance
name} > tab: Groups > Add > Select Groups From Directory

Step 6. Create the Certificate Authentication Profile.

The purpose of the Certificate Authentication Profile is to inform ISE which certificate field the identity
(machine or user) can be found on the client certificate (end-identity certificate) presented to ISE during
EAP-TLS (also during other certificate based authentication methods). These settings will be bound to
the Authentication Policy to authenticate the identity; configured from ISE GUI, navigate to Administration
> Identity Management: External Identity Sources > Certificate Authentication Profile and click on
Add.
The Use Identity From used to select the certificate attribute from a specific field the identity is can be
found, the choices shown in the image are available:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 6/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

If the identity store is going to be pointed to Active Directory or LDAP (external identity source) then a
feature called Binary Comparision can be used that performs a lookup of the identity in Active Directory
obtained from the client certificate from the Use Identity From selection (as above), which occurs during
ISE Authentication phase.  Without Binary Comparision the identity is simply obtained from the client
certificate and is not looked up in Active Directory until the ISE Authorization phase when an AD External
Group is used as a condition, or any other conditions that would need to be performed externally to ISE.
In order to use Binary Comparision, in the Identity Store select the external identity source (Active
Directory or LDAP) where the end-identity account can be found.
The settings here is a configuration example when the identity is located in the Common Name (CN) field
of the client certificate, with Binary Comparision enabled (optional):

More information can be found in Cisco Identity Services Engine Administrator Guide, Release 2.3 >
Chapter: Manage Users and External Identity Sources > Certificate Authentication Profiles

Step 7. Add to an Identity Source Sequence.

Identity Source Sequence can be created from ISE GUI, navigate to Administration > Identity
Management, Under Identity Source Sequences and click on Add.
The next step is to add the Certificate Authentication Profile to an Identity Source Sequence which grants
the ability to include multiple Active Directory (AD) join points or group a combination of internal/external
identity sources together, as desired, which then binds to the Authentication Policy under the
Use column.  
The example as shown here allows the lookup to be performed against Active Directory (AD) first, then if
the user is not found lookup on an LDAP server. 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 7/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

Otherwise, you can also bind just the Certificate Authentication Profile to the Authentication Policy.

Step 8. Define the Allowed Protocols Service.

The Allowed Protocols Service enables only that authentication methods/protocols which ISE supports
during Radius Authentication. In order to configure from ISE GUI, navigate to Policy > Policy Elements:
Results > Authentication > Allowed Protocols and then it binds as an element to the Authentication
Policy. 

Note: Authentication Bypass > Process Host Lookup relates to MAB being enabled on ISE.

These settings must be the same as what is supported and configured on the supplicant (on the
endpoint), otherwise, the authentication protocol is not negotiated as expected and Radius
communication may fail. In a real-world ISE configuration, it is recommended to enable any authentication
protocol that is used in the environment so ISE and Supplicant can negotiate and authenticate as
expected.
This is the default values (collapsed) when a new instance of the services of the allowed protocol is
created.

Note: At a minimum, you must enable EAP-TLS since ISE and our supplicant authenticates via
EAP-TLS under this configuration example.  

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 8/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

Step 9. Create the Authorization Profile.

The last policy element needed to build is the Authorization Profile which binds to the Authorization Policy
and gives the desired level of access.  The Authorization Profile is bound to the Authorization Policy and
in order to configure it from ISE GUI, navigate to Policy > Policy Elements: Results > Authorization >
Authorization Profiles and click on Add.
The Authorization Profile contains configuration that results in attributes being passed from ISE to the
Network Access Device (NAD) for a given Radius session, in which these attributes are used to achieve
the desired level of network access.  
As shown here, it simply passes Radius Access-Accept as the Access Type, however, additional items
can be used upon the initial authentication.  Notice Attribute Details at the very bottom which contains
the summary of attributes ISE sends to the NAD upon matching a given Authorization Profile.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 9/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

More information regarding ISE Authentication Profile and Policy can be found in Cisco Identity Services
Engine Administrator Guide, Release 2.3 > Chapter: Configure and Manage Policies > Authorization
Policies > Cisco ISE Authorization Profiles

Security Policies
Authentication and Authorization Policies are created from the ISE GUI: Policy > Policy Sets, which is the
default view on ISE 2.3.  Earlier versions of ISE used a single (default) policy set and additional policy sets
could be enabled in the global settings but have since been removed since ISE 2.3 (and newer) and
cannot be disabled.
The next section covers combining the configuration and policy elements to bind to the ISE
Authentication and Authorization Policies to authenticate an endpoint via EAP-TLS.

Step 10. Create the Policy Set.

A policy set is a hierarchical container consisting of a single user-defined rule that indicates the allowed
protocol or server sequence for network access, as well as authentication and authorization policies and
policy exceptions, all also configured with user-defined condition-based rules.
In order to create a Policy Set from ISE GUI, navigate to Policy > Policy Set and then click on plus (+)
icon on the upper-left corner, as shown in the image.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 10/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

The Policy Set will bind/combine this policy element previously configured and is used to determine
which Policy Set should be matched in a given Radius Authentication Request (Access-Request):

Bind: Allowed Protocols Services

More information regarding Policy Sets on ISE can be found in the Cisco Identity Services Engine
Administrator Guide, Release 2.3 > Chapter: Configure and Manage Policies > Policy Sets > Network
Access Policy Terminology.

Step 11. Create an Authentication Policy.

Inside the Policy Set, the Authentication Policy will bind/combine these policy elements previously
configured to be used with conditions to determine when an Authentication Rule that should be matched.

Bind: Certificate Authentication Profile or Identity Source Sequence.

Step 12. Create the Authorization Policy.

Inside the Policy Set, the Authorization Policy binds/combines these policy elements previously
configured to be used with conditions to determine when an Authorization Rule that should be matched. 
The example here is for User Authentication since the conditions are pointing to the Domain Users
security group in Active Directory (AD).

Bind: Authorization Profile

Verify
Once all global configuration and policy elements bind the Policy Set configuration should look similar to
the image here for User Authentication via EAP-TLS:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 11/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

Troubleshoot
After the configuration is completed, connect the endpoint to test authentication. Results can be found
from ISE GUI: Operations > Radius > Live Logs, as shown in the image.   
For awareness, the Live Logs for Radius and TACACS+ (Device Admin) are available for the
authentication attempts/activity for the past 24 hours and for the past 100 records. If you wish to see this
type of data then need to use the reports, specifically ISE UI: Operations > Reports > Reports: Endpoints
and Users > RADIUS Authentications

In the Radius Live Logs in ISE you expect to find information about the Radius session, to include session
attributes, and other helpful information to diagnose behavior observed during an authentication flow; by
click on the details icon to open the detailed view of the session to view session attributes and related
information that is specific to this authentication attempt.
For troubleshooting purposes, it is important to ensure the correct policies are being matched. For this
configuration example the desired Authentication and Authorization Policies are being matched as
expected, as shown in the image:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 12/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

In the detailed view, these attributes are checked in order to verify that the authentication behaves as
expected per the design as part of this configuration example:
Event

This contains whether or not the authentication was successful. 

In a working scenario should value should be: 5200 Authentication succeded
Username

This includes the end-identity that was pulled from the client certificate that was presented to ISE.
In a working scenario, this is the username of the user logged into the endpoint. (i.e. employee1 from
the above image) 
Endpoint ID

For Wired/Wireless, this value should be the mac address of the network interface card (NIC) from
the endpoint.
In a working scenario, this becomes the mac address of the endpoint unless the connection is over
VPN, in which case maybe the IP Address of the endpoint.
Authentication Policy

Shows the matched authentication policy for the given session based on session attributes that
match the policy conditions.
In a working scenario, this is the expected authentication policy as configured. 
If you see another policy, it means the expected policy when compared to the conditions in the
policy was not evaluated as true. In this case, review session attributes and ensure each policy
contains different yet unique conditions for each policy.  
Authorization Policy 

Shows the matched authorization policy for the given session based on session attributes that match
the policy conditions.
In a working scenario, this is the expected authorization policy as configured. 
If you see another policy, it means the expected policy when compared to the conditions in the
policy was not evaluated as true. In this case, review session attributes and ensure each policy
contains different yet unique conditions for each policy.  
Authorization Result

Based on the matched Authorization Policy, this shows the Authorization Profile that was used in the
given session.
In a working scenario, this should always be the same value as configured in the policy. It is good to
review for audit purposes and to ensure the correct authorization profile was configured.   
Policy Server

This includes the hostname of the ISE Policy Service Node (PSN) that was involved in the
authentication attempt.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 13/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

In a working scenario should only see authentications going to the first PSN node as configured on
the network access device (NAD) [aka. edge device] unless that PSN was not operational or if
failover occurred, such as due to higher latency than expected or if an authentication timeout occurs.

Authentication Method

Shows the authentication method that was used in the given session.  For this example should see
value as dot1x.
In a working scenario, based on this configuration example, you should always see value as dot1x, if
you see another value then it could mean that either dot1x failed or was not attempted.

Authentication Protocol

Shows the authentication method that was used in the given session.  For this example should see
value as "EAP-TLS"
In a working scenario, based on this configuration example, we should always see value as "EAP-
TLS", if we see another value then supplicant and ISE did not successfully negotiate EAP-TLS.

Network Device

Shows the network device name, as configured in ISE, for the network access device (NAD) [aka.
edge device] involved in the authentication attempt between endpoint and ISE.
In a working scenario, this name is always given in ISE UI: Administration > System: Network
Devices; based on that configuration the IP Address of the network access device (NAD) [aka. edge
device] is used to determine which network device the authentication came from which is included in
the NAS IPv4 Address session attribute.

By no means is this a complete list of all possible session attributes to review for troubleshooting or other
visibility purposes as there are other useful attributes to verify.  Recommend to review all session
attributes to start become familiar with all the information you can see to include the right-side under
section Steps that shows the operations or behavior taken by ISE.

Common Issues and Techniques to Troubleshoot

This listing is some common issues and troubleshooting advice and by no means is meant to be a
complete listing. Instead, use this as a guide and develop your own techniques when troubleshooting
issues when ISE is involved.
Issue:  Encountering an authentication failure (5400 Authentication failed) or any other non-successful
authentication attempt.

If authentication failure is encountered then select the details icon which gives the information to why
authentication failed and steps taken, to include failure reason and possible root cause. 

Since ISE makes the decision on the authentication result, ISE will have the information to understand
the reason the authentication attempt was not successful.
Issue: The authentication does not complete successfully and failure reason shows "5440 Endpoint
abandoned EAP session and started new" or "5411 Supplicant stopped responding to ISE".

This failure reason indicates the radius communication did not complete before timing out. Since EAP is
between endpoint and Network Access Device (NAD) then want to check the timeout that is being
used on the NAD and ensure it is set for at least 5 seconds.   

If 5 seconds is not enough to resolve this issue then recommend to increase it by 5 seconds a few
times and re-testing to verify if this technique will resolve this issue.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 14/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

If the issue is not resolved from the above steps, then recommend to ensure the authentication is being
handled by the same and correct ISE PSN node and the overall behavior is not indicative of abnormal
behavior, such as higher than normal latency between NAD and ISE PSN node(s).     

Also, a good idea to verify if the endpoint is sending the client certificate through packet capture if ISE
is not receiving the client certificate then endpoint (user certificates) may not be trusting the ISE EAP
Authentication certificate.   If found to be true, then import CA Chain in the correct certificate stores
(Root CA = Trusted Root CA | Intermediary CA = Trusted Intermediary CA).

Issue: Authentication is successful but not matching the correct Authentication and/or Authorization
Policy.
If encountering an authentication request that is successful but not matching the correct Authentication
and/or Authorization rules, recommend to review session attributes to ensure conditions being used
are accurate and present in the Radius session.

ISE evaluates these policies from a top-down approach (with the exception of Posture Policies), need
to first determine if the policy that was matched was above or below the desired policy to be matched. 
Authentication Policy evaluated first and independently of the Authorization Policies. If the
Authentication Policy is matched correctly then it should have "22037 Authentication Passed" in the
Authentication Details under the right-section named Steps.

If the desired policy is above the matched policy, then means the sum of the conditions on the desired
policy did not evaluate to be true, it should review all attributes and values in the condition and on the
session to ensure exists and no spelling mistake is present.

If the desired policy is below the matched policy, then it means another policy [above] was matched
instead of the desired policy.  This could mean condition values are not specific enough, the conditions
are duplicated in another policy, or the order of the policy is not correct. While it becomes more difficult
to troubleshoot, recommend to start to review policies to determine the reason why the desired policy
was not matched, this should help to identify what actions to take next.

Issue: The identity or username used during authentication was not the expected value.

When this occurs, if the endpoint is sending the client certificate, then most likely ISE is not using the
correct certificate field in the Certificate Authentication Template; which is evaluated during the
Authentication Phase. 

Review the client certificate to locate the exact field the desired identity/username exists and ensure
the same field is selected from ISE UI: Administration > Identity Management: External Identity
Sources > Certificate Authentication Profile > {select the certificate authentication profile being
used in the Authentication Policy}

Issue: Authentication is not successful with failure reason "12514 EAP-TLS failed SSL/TLS handshake
because of an unknown CA in the client certificates chain".

This may occur if the client certificate has a certificate in the CA chain that is not Trusted on ISE UI:
Administration > System: Certificates > Trusted Certificates.

Typically can occur when the client certificate (on the endpoint) has a CA chain that is different than the
certificate CA chain that is signed to ISE for use EAP Authentication.

For resolution, please ensure the client certificate CA chain is trusted on ISE and the ISE EAP
Authentication server certificate CA chain is trusted on the endpoint.

- For Windows OS and Chrome, navigate to Start > Run MMC > Add/Remove Snap-In > Certificates >
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 15/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

User Certificates.

- For Firefox: Import CA chain (not the end-identity certificate) to be trusted for Web Server.

Related Information
Cisco Identity Services Engine > Install and Upgrade Guides
Cisco Identity Services Engine > Compatibility Information
Cisco Identity Services Engine Administrator Guide, Release 2.3 > Chapter: Manage Network
Devices
Cisco Identity Services Engine Administrator Guide, Release 2.3 > Chapter: Configure and Manage
Policies
Cisco Identity Services Engine > Configuration Guides > Active Directory Integration with Cisco ISE
2.x
Cisco Identity Services Engine Administrator Guide, Release 2.3 > Chapter: Manage Users and
External Identity Sources
Cisco Identity Services Engine Administrator Guide, Release 2.3 > Chapter: Manage Users and
External Identity Sources > Certificate Authentication Profiles
Cisco Identity Services Engine > Configuration Examples and TechNotes > Configure ISE 2.0
Certificate Provisioning Portal
Cisco Identity Services Engine > Configuration Examples and TechNotes > Install a 3rd party CA
Certificate in ISE 2.0
Wireless LAN (WLAN) > Configuration Examples and TechNotes > Understand and configure EAP-
TLS using WLC and ISE

Quick Links -
About Cisco

Contact Us

Careers

Meet our Partners

Resources and Legal -

Feedback

Help

Terms & Conditions

Privacy Statement

Cookies

Trademarks

Supply Chain Transparency

Sitemap

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 16/17
5/5/22, 2:20 PM Configure EAP-TLS Authentication with ISE - Cisco

©2022 Cisco Systems, Inc.

© 2022 Cisco and/or its affiliates. All rights reserved.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/214975-configure-eap-tls-authentication-with-is.html 17/17