E66 EAP-TLS error

Similar Messages

• Nokia E66 EAP-TLS error

  Hi, I am configuring a Nokia E66 (wich is v4 in Cisco Compatible Extensions, so it supports EAP-TLS) with WPA2 EAP-TLS against IAS in a Cisco Wireless Network and I always obtain the same error in the IAS event viewer.
  denied accesss
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 16
  Reason = Authentication was not successful because an unknown user name or incorrect password was used.
  Has anybody tried E66 with EAP-TLS?
  Any experiences?

  Yes, this is my setup
  - hidden network
  - infraestructure
  - security: WPA/ WPA2
  - EAP
  - Plug -ins: EAP-TLS. I select the user certificate and the CA certificate. User name from the certificate, domain from the certificate
  - WPA2 only mode
  In the IAS log, the username is correct, but always appear this strange error. The certificates and infraestructure I use it works well in a notebook
  Thanks

• EAP-TLS Error

  Hello.
  I cannot get EAP-TLS auth to work on windows 7 wired setup. I've tested EAP-PEAP on wireless and wired - works fine. Also EAP-TLS for wireless works great. Clients are on same domain as radius (wich is Cisco ISE), we've deployed CA-services on that same domain too and are distributing certificates to clients via GPOs. Authenticators (switchports) are configured correctly, certificates work on EAP-TLS wireless setup, everything seems to be ok, but wired connection still cannot auth and  EAP timeouts.
  Here is the error:
  Logged At: May 14,2013 11:52:12.159 AM
  RADIUS Status: No response received during 120 seconds on last EAP message sent to the client : 5411 No response received during 120 seconds on last EAP message sent to the client

  Have you confirmed that the Supplicant is configured properly for EAP-TLS authentication? I have done this type of deployment many times and haven't had this issue. 
  Thank you for rating helpful posts! 

• EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

  Hi,
  I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
  Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
  I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
  Can anybody help regarding this issue.

  Hi Sandeep,
  Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
  Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
  Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
  1. Guest Client go to google.com
  2. Client goes to DNS (the one its is assign in DHCP)
  3. DNS resolves the DNS for google.com
  4. Client then attempts to go to google.com
  5. Controller intercepts GET and replaces it with a 1.1.1.1
  6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
  7. DNS then gets resolve to the name (example guest.xxx.com)
  8. Controller presents the guest screen
  Hope it helps.
  Regards
  Dont forget to rate helpful posts

• Meaning of EAP-TLS errors in ACS

  Hi Guys,
  I'm trying to get a device authenticated to my wireless network using certificates. I get the generic error in ACS (4.2.0.124):
  EAP-TLS or PEAP authentication failed during SSL handshake
  Looking in the Auth log I get:
  AUTH 12/09/2013 15:56:40 E 2255 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL send alert fatal:handshake failure
  AUTH 12/09/2013 15:56:40 E 2258 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL ext error reason: c7 (Ext error code = 0)
  AUTH 12/09/2013 15:56:40 E 2297 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2120
  AUTH 12/09/2013 15:56:42 E 3159 297052 0x0 AuthenReaper thread : Session Timed out since challenge not provided, freeing it
  Can anyone help me with the reason codes or point me in the right direction?
  Thanks,
  John.

  Hi John,
  This is mostly due to improper certificate installed on either the server or on the client machine.
  Considering the issue with only one client I guess the server is clean.
  Can you verify if proper root certificate, intermediate certificate and the id certificates are installed on client?
  You can also regenerate a new machine ID cert for the client and give a try.
  Thanks.

• EAP-TLS error message on ACS server

  Receving this message when client attempts authentication....Any idea or pointers on troubleshooting this?
  "EAP-TLS authentication failed during handshake"

  turn on debugging at the AccessPoint (:eap_diag1_on at 350-Series) or at the ACS (csradius -d -p -z) to get more information
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml
  Verify Certificates and CA at the client and the ACS
  http://www.cisco.com/en/US/products/hw/wireless/ps458/products_white_paper09186a008009256b.shtml

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani

• ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

  Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at.  Customer is using EAP-TLS with and everything appears to setup properly.  Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
  12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
  OpenSSL messages are:
  SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
  certificate ex pi red"'
  4 727850450.3616:error.140890B2: SS L
  rOYbne s: SSL 3_  G ET _CL IE NT  _CE RT IF ICAT E:no ce rtific ate
  relurned: s3_ srvr.c: 272 0
  I'm not sure if this is cosmetic or if this is something that I should be tracking down.  System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain.  Any ideas what to check?

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

  Hello,
  Has anyone come across this error code before?  I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
  I setup 7925 phones for EAP-TLS using MIC.  I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication".  A Certificate Profile is configured matching Common Name and is added to the Identity Sequence.    I got some additional attribute information, where there is a error message:
  OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
  Anyone know what this error means?

  Yes,
  That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
  Installing the Authentication Server Root Certificate
  The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
  To install the certificate, follow these steps:
  Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
  Step 2 Go to the phone web page and choose Certificates.
  Step 3 Click Import next to the Authentication Server Root certificate.
  Step 4 Restart the phone.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• 802.1X EAP-TLS User Certificate Errors

  I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
  Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.
  No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:
  [236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
  [236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
  [236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
  [236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
  [236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
  [236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  Also, in the event viewer I get the following:
  Wireless 802.1x authentication failed.
  Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
  Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
  Local MAC Address: C4:17:FE:48:F2:79
  Network SSID: *****
  BSS Type: Infrastructure
  Peer MAC Address: 00:12:17:01:F7:2F
  Identity: NULL
  User: presentation
  Domain: ****
  Reason: Explicit Eap failure received
  Error: 0x80420014
  EAP Reason: 0x80420100
  EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
  I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User
  Principal Name (UPN) is checked.  All other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate
  exists in the "Personal" user certificate store on the client.
  There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

  Hey,
  I am precisely in the same situation now. I have  a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
  when I use the user certificate it doesn't work. Both  user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
  personal stores.
  I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
  [6472] 12-10 13:39:04:327: DwGetEKUUsage
  [6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
  [6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  [6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
  [6472] 12-10 13:39:04:327:  Self Signed Certificates will not be selected.
  [6472] 12-10 13:39:04:327: EAP-TLS will accept the  All-purpose cert
  I am stuck at it for last few days with no real cause known as yet.!
  Any help will be thoroughly appreciated!!!

• ISE 1.2 EAP-TLS handshake to external RADIUS

  Hi everyone!
  I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2  and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
  Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
  If: Wireless_802.1X          Allow Protocols: Default Network Access          Use: RADIUS
  Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
  Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
  Any help is appreciated, thanks in advance!

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• Trying to implement EAP/TLS using java (as part of RADIUS server)

  Hi
  This is a cross port since I didn't know which forum to post in!
  I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
            KeyStore ksKeys = KeyStore.getInstance("JKS");
              ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
              KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              kmf.init(ksKeys, passphrase);
              KeyStore ksTrust = KeyStore.getInstance("JKS");
              ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
              TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
              tmf.init(ksKeys);
              sslContext = SSLContext.getInstance("TLS");
              sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
              sslEngine = sslContext.createSSLEngine();
              sslEngine.setUseClientMode(false);
              sslEngine.setNeedClientAuth(true);
              sslEngine.setWantClientAuth(true);
              sslEngine.setEnableSessionCreation(true);
              appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
              appBuffer.clear();
              netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
              netBuffer.clear();All I want to do with TLS is a handshake.
  I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
         SSLEngineResult result = null;
          SSLEngineResult.HandshakeStatus hsStatus = null;
          if( internalState != EAPTLSState.Handshaking ) {
              if( internalState == EAPTLSState.None ) {
                  TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                  peerIdentity = tlsPacket.getData();
                  internalState = EAPTLSState.Starting;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
                  return;
              else if(internalState == EAPTLSState.Starting ) {
                  internalState = EAPTLSState.Handshaking;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
          TLSPacket tlsPacket = new TLSPacket( packet.getData() );
          netBuffer.put( tlsPacket.getData() );
          netBuffer.flip();
          while(true) {
              hsStatus = sslEngine.getHandshakeStatus();
              if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                  Runnable task;
                  while((task=sslEngine.getDelegatedTask()) != null) {
                      new Thread(task).start();
              else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                  try {
                      result = sslEngine.unwrap( netBuffer, appBuffer );
                  } catch (SSLException e) {
                      e.printStackTrace();
              else {
                  return;
          }When I try to send data I use the following code:
             SSLEngineResult.HandshakeStatus hsStatus = null;
              SSLEngineResult result = null;
  //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
              netBuffer.clear();
              while(true) {
                  hsStatus = sslEngine.getHandshakeStatus();
                  if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                      Runnable task;
                      while((task=sslEngine.getDelegatedTask()) != null) {
                          new Thread(task).start();
                  else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                      try {
                          result = sslEngine.wrap( dummyBuffer, netBuffer );
                      } catch (SSLException e) {
                          e.printStackTrace();
                  else {
                      if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                          int size = Math.min(result.bytesProduced(),this.MTU);
                          byte [] tlsData = new byte[size];
                          netBuffer.flip();
                          netBuffer.get(tlsData,0,size);
                          TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                          if( size < result.bytesProduced() ) {
                              tlsPacket.setFlag(TLSFlag.MoreFragments);
                          return new EAPTLSRequestPacket( ID,
                                  (short)(tlsPacket.getData().length + 6),
                                  stateMachine.getCurrentMethod(), tlsPacket );
                      else {
                          return null;
                  }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
  Any help wold be most greatfull, if any questions or anything unclear plz let me know.
  add some additional information here is a debug output
  Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
  [Raw read]: length = 5
  0000: 16 03 01 00 41 ....A
  [Raw read]: length = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-2, READ: TLSv1 Handshake, length = 65
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
  1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
  50, 201 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
  _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
  PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
  S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
  Compression Methods: { 0 }
  [read] MD5 and SHA1 hashes: len = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-5, fatal error: 40: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
  Thread-5, WRITE: TLSv1 Alert, length = 2
  Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
  ception: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
  92)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
  mpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
  pl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
  26)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
  va:153)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
  eMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
  ava:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
  352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
  rHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
  haker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
  ndshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
  95)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
  java:930)
  ... 1 more

  I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

• ACS 4.0 EAP-TLS Cert not working

  Hey,
  so i generated my certificate signing request, took it to my CA, got a cert. From "ACS Certification Authority Setup" i installed it onto my ACS appliance, then from "Install ACS Certificate" installed it (it prepopulated the privkey and password so i assume it got that from the cert file). I then add the CA from the "Edit Certificate Trust List". All this goes off without a hitch.
  However when i try to add the "Certificate Revocation List" I am unable to add both LDAP:\\\ and http://. I have confirmed that the http:// is working on the CA, and every indication is that the ldap is working too but i don't know of the tools to test that with.
  When i go into "System Configuration"->"Global Authentication Setup"->"Allow EAP-TLS" i get the following error.
  Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.
  What exactly is not installed about the Certificate? it's on the ACS server, it's configured and the date range is correct.
  I've been banging my head against this all day and could use some suggestions. :)

  Ok, i now understand it a little better. I needed to install 2 certificates. the first being the Root CA's certificate in the "ACS Certification Authority Setup" section (i mistakenly thought this was simply where i download my generated cert for the next spot.
  The second cert is the one i generated using "Generate Certificate Signing Request", i then took that to my Root CA, generated a cert and installed that along with the private key under "Install ACS Certificate".
  Thanks for pointing me in the right direction since the error i was getting wasnt helpful to me.