EAP-TLS Troubleshooting

Common Issues

Certificate Not Trusted

Symptom: Authentication fails with "Certificate not trusted" or "Unknown CA"

Cause: ISE doesn’t have the issuing CA in trusted certificates

Resolution:

  1. Import full CA chain to ISE

  2. Verify trust settings include "Client Authentication"

# Check ISE trusted certs
netapi ise api-call openapi GET '/api/v1/certs/trusted-certificate?size=100' | \
  jq -r '.response[].friendlyName' | grep -i domus

Certificate Expired

Symptom: "Certificate has expired" error

Resolution:

  1. Issue new certificate from Vault

  2. Deploy to client

  3. Update ISE if server cert expired

# Check expiry
openssl x509 -in /etc/ssl/certs/client-eaptls.pem -noout -dates

Private Key Mismatch

Symptom: TLS handshake fails, client can’t prove certificate ownership

Resolution:

Verify key matches certificate:

# Compare modulus
openssl x509 -in cert.pem -noout -modulus | md5sum
openssl rsa -in key.pem -noout -modulus | md5sum
# Must match!

Wrong EKU

Symptom: "Certificate does not have required EKU"

Resolution:

Verify certificate has Client Authentication EKU:

openssl x509 -in cert.pem -noout -text | grep -A1 "Extended Key Usage"
# Should show: TLS Web Client Authentication

Debugging

ISE Live Logs

  1. Operations > RADIUS > Live Logs

  2. Click failed authentication

  3. Check:

    • "Authentication Details"

    • "Steps" - shows exact failure point

    • "Other Attributes" - certificate info

Client-Side (Linux)

# wpa_supplicant debug
sudo wpa_supplicant -i eth0 -c /etc/wpa_supplicant/wpa_supplicant.conf -d

# Check certificate
openssl s_client -connect ise-01:1812 -cert client.pem -key client.key

DataConnect Query

SELECT USERNAME, FAILURE_REASON, CALLING_STATION_ID
FROM RADIUS_AUTHENTICATIONS
WHERE AUTHENTICATION_PROTOCOL = 'EAP-TLS'
AND PASSED = 0
AND TIMESTAMP_TIMEZONE > SYSDATE - INTERVAL '1' HOUR

Related

  • ISE Certificate Troubleshooting (infra-ops)

  • 802.1X Troubleshooting (infra-ops)