Cisco Cisco Identity Services Engine Software Manual Técnica
are present. If the certificate chain is passed successfully, the chain itself should be verified as valid by using the method outlined below.
Open each certificate (server, intermediate and root) and verify chain of trust by matching the Subject Key Identifier (SKI) of each certificate to the Authority
Key Identifier (AKI) of the next certificate in the chain.
Key Identifier (AKI) of the next certificate in the chain.
Example of certificate chain.
ISE certificate chain is correct but Endpoint rejects ISE’s Server Certificate during authentication.
If ISE is presenting its full certificate chain during the SSL handshake and the supplicant is still rejecting the certificate chain; the next step is to verify that the
Root and(or) Intermediate certificates are in the client Local Trust Store.
Root and(or) Intermediate certificates are in the client Local Trust Store.
To verify this from a Windows device open mmc.exe File > Add-Remove Snap-in > From Available snap-ins column select certificates > Add > select either
“My user account” or “computer account” depending on the authentication type in use (User or Machine). > OK
“My user account” or “computer account” depending on the authentication type in use (User or Machine). > OK
Under the console view select “Trusted Root Certification Authorities” and “Intermediate Certification Authorities” to verify the presence of Root and
Intermediate certificate in local trust store.
Intermediate certificate in local trust store.
An easy way to verify that this is a Server Identity Check issue, uncheck “Validate Server Certificate” under the supplicant profile configuration and test it
again.
again.
Note: ISE currently does not support processing certificates using RSASSA-PSS as signature algorithm. This includes server certificate, Root, Intermediate