01-12-2024 09:45 AM
I have successfully enabled PIV authentication for CLI via ISE. However, web does not work, gives me openresty error after entering my PIN. Background - I am with DOI and obtained a certificate for the WLC from the DOI CA. Our PIV cards are provided by ENTRUST. I use the Entrust trust point for CLI.
This allows me to use CLI PIV -
crypto pki trustpoint ENTRUST_MG_SVC_SSP_CA
enrollment terminal
authorization username alt-subjectname userprinciplename
revocation-check none
cyrpto pki authenticate ENTRUST_MG_SVC_SSP_CA
Insert Certificate HERE
ip ssh server certificate profile
user
trustpoint verify ENTRUST_MG_SVC_SSP_CA
Ip http secure-trustpoint (WLC trustpoint)
Ip http secure-client-auth
ip http secure-peer-verify-trustpoint (WLC Trustpoint) - I've tried using ENTRUST_MG_SVC_SSP_CA as well.
ip http secure-piv-based-auth secure-piv-based-author-only
TAC has been working on this for a few months with no resolution yet. Any suggestions? I've tried 17.3, 17.4, 17.12.1, 17.12.2 with no changes.
04-26-2024 10:28 AM
Yeah login isn't making it to ISE for me either. I've debugged ip http, aaa authen, show logging process nginx internal start last 60, etc. It seems to be some kind of ngnix error. I also got DOI to give me a soft token to see if that made a difference vs my PIV card. No change.
04-26-2024 10:28 AM
Currently running 17.12.3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide