802.1x computer-based network authentication (machine certificate)

Similar Messages

• Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

  Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their
  certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.
  We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because
  they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch
  ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:
  1. Fail over to a disaster recovery authentication server if Corporate connection goes down
  and:
  2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server
  for the authentication and so on.
  What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale,
  nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!

  Re-authentication could be triggered by the NPS, the switch / AP or the client:
  NPS: There is a bunch of attributes to be configured in the Network Policy that determine the time a machine can remain connected such as Idle Timeout and Session Timeout. (When WEP was still common the session timeout had been used to enforce
  a change of the insecure key.) Otherwise, the machine should remain connected as far as NPS is concerned.
  Switch / AP: Depends on the configuration, e.g. re-authentication has to be triggered if the link went down. If a user plugs a cable or accidentally disable WLAN on his machine when the internet link he will not be able to reconnect.
  Then I have seen some options similar to the NPS options, and switches could have their own session timeouts or be configured for respecting the radius server's setting.
  Client: The term "re-authentication" is also used happens if you have to / want to use both machine and user authentication: When the machine starts up, the machine account is authenticated; when the user logs on the user is authenticated;
  when the user logs off the machine is authenticated again. Per GPO you configure the machines for this kind of re-authentication (the default) or use machine-only or user-only authentication instead.
  It might be a challenge to manage and test these settings if you have to support many different APs / switches and different WLAN devices.
  I would recommend to carefully test it with a pilot group of users.
  Would you have any chance to turn off 802.1x on the switches / APs in case of a major outage? I guess not as you would be able to manage them remotely?

• WPA2 Enterprise Authentication Without Certificate

  Dear All,
  I have Wifi Network, with WPA2 and Digital Certificate and EAP Protected EAP Authentication/Radius server Microsoft ISA
  I have tryed with the last Wifi Pc driver to connect at the network,  and I see that the PC  connect using only the Username and password, without configure the Certificate on the Client!
  After some Googleing I found that I should use the plus per-user certificates and EAP-TLS to solve the problem. It is true?
  Best Regards,
  Igor.

  Hi ifabrizio      
  Might be a bit concerning that you are able to connect to the network using only user name and password!
  EAP-TLS or PEAP solutions should be configured to leverage digital certificates for hardware trust identity.    
   "Authenticate as computer when computer information is available" to enable "Machine Authentication" AKA "Computer Authentication". Machine Authentication allows your PC to connect to the network by authenticating as "Computer" before a legitimate user logs in. This allows a machine to obtain group policies just like it was connected to a wired network and this is a unique feature of the Windows Client.
  If you don't have "Machine Authentication", your Group Policy will not function and non-cached users cannot log on to your machine even if they are given the proper permissions at the Domain level. "Machine Authentication" is needed to recreate the full "Wired" experience. In order for "Machine Authentication" to work, PEAP only requires that a Computer is joined to the domain. The computer will use its "Computer Password" to log on to the network. Note that for EAP-TLS or PEAP-EAP-TLS (stronger alternatives to PEAP) to work the computer must have a "Machine Certificate" installed from the Enterprise Root CA.
  Hope this helps.
  Jay

• Machine authentication using certificates

  Hi,
  I am facing this error while machine authenticates agaist AD for wireless users. My requirement is users with corporate laptop get privileged vlan and BYOD should get normal vlan.I am using Cisco ISE 1.1.1 and configured authentication policies to diffrenciate clients based on corp asset and BYOD. Authentication policy result is identity sequnce which uses certificate profile and AD. All corp laptops should be authenticated using certificates and then followed by AD user and pass. when I configure XP users to validate server certificate this error comes in ISE log "Authentication failed : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" and if I disable validate sewrver certificate then this error "Authentication failed : 22049 Binary comparison of certificates failed".
  Any help??
  Thanks in advance.

  Hi [answers are inline]
  I  have tried using Cisco Anyconnect NAM on Wondows XP for machine and  user authentication but EAP-chaining feature is not working as expected.  I am facing few challenges. I have configured NAM to use eap-fast for  machine and user authentication and ISE is configured with required  authorisation rule and profiles/results. when machine boots up it sends  machine certificate and gets authenticated against AD and ISE matches  the authorisation rule and assigns authZ profile without waiting for  user credentials.
  This is expected for machine authentication, since the client hasnt logged in machine authentication will succeed so the computer has connectivity to the domain.
  Now when a user logs on using AD user/pass,  authentication fails as the VLAN assigned in AuthZ profile does not have  access to AD. ISE should actually check with their external database  but Its not.
  Do you see the authentication report in ISE? Keep in mind that you are authenticating with a client that has never logged into the workstation before. I am sure you are looking for the feature which starts the NAM process before the user logs in. Try checking this option here:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1074333
  Note the section below:
  –Before  User Logon—Connect to the network before the user logs on. The user  logon types that are supported include user account (Kerberos)  authentication, loading of user GPOs, and GPO-based logon script  execution.
  If you choose Before User Logon, you also get to set Time to Wait Before Allowing a User to Logon:
  Time to Wait Before Allowing User to Logon—Specifies the maximum (worst  case) number of seconds to wait for the Network Access Manager to make a  complete network connection. If a network connection cannot be  established within this time, the Windows logon process continues with  user log on. The default is 5 seconds.
  Note If the Network Access Manager is configured to manage wireless connections, set Time to wait before allowing user to logon to 30 seconds or more because of the additional time it may take to  establish a wireless connection. You must also account for the time  required to obtain an IP address via DHCP. If two or more network  profiles are configured, you may want to increase the value to cover two  or more connection attempts.
  You will have to enable this setting to allow the supplicant to connect to the network using the credentials you provide, the reason for this is you are trying to authenticate a user that has never logged into this workstation before. Please make changes to the configuration.xml file, and then select the repair option on the anyconnect client and test again.
  Interestingly, if I login with an AD user which is local to  the machine its gets authenticated and gets correct AuthZ  profile/access level. If I logoff and login with different user, Windows  adapter gets IP address and ISE shows successful authentication /authz  profile but NAM agent prompts limited connectivity. Any help??
  Please make the changes above and see if the error message goes away.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• Srw2048 802.1x, authentication with certificates

  Hi,
  Is it possible to use 802.1 x port authentication on SRW2048 based on EAP and certificates?
  Br,
  Lukasz

  Hello!
  We've just launched an Ask the Expert event on 802.1x
  https://supportforums.cisco.com/discussion/12463991/ask-expert-8021x-configuring-and-troubleshooting-javier-henderson
  Perhaps post your question with Javier as well!
  Thank you!

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• There is a problem with this connection's security certificate The remote computer cannot be authenticated due to problems with its security certificate. Security certificate problems might indicate an attempt to fool you or intercept any data you send

  Hi,
  I have this Windows 2008 R2 on which I installed remoteapp some years ago.
  Now the certificate expired and I get the message
  "There is a problem with this connection's security certificate
  The remote computer cannot be authenticated due to problems with its security certificate.
  Security certificate problems might indicate an attempt to fool you or intercept any data you send to the remote computer."
  How should I renew the certificate? I already went to certification store and tried to renew certificate with same key but then it says "the request contains nor certificate template information".
  Please advise.
  J.
  J.
  Jan Hoedt

  Does the computer account have Enroll permission to the certificate template?
  From the Server running your CA, run mmc, click File then Add/Remove Snap-in...
  Add Certificate Templates and click OK.
  Find the certificate template, then right click and select properties.  On my CA its call ed RemoteDesktopComputers but might be called something different depending on what what template your certificate is based on.
  On the security tab, click Oblect types, check Computers then OK. Enter the Computername and click OK.  Then give your computer account Enroll permisssion.
  HTH,
  JB

• SSL VPN with machine certificate authentication

  Hi All,
  I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
  Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
  The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
  btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
  Thanks in advance for your help
  Hardware is ASA5540, software version 8.2(5).
  Some pieces of the configuration below:
  group-policy VPN4TEST-Policy internal
  group-policy VPN4TEST-Policy attributes
    wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  vpn-simultaneous-logins 1
  vpn-idle-timeout 60
  vpn-filter value VPN4TEST_allow_access
  vpn-tunnel-protocol IPSec svc webvpn
  group-lock none
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  default-domain value cs.ad.klmcorp.net
  vlan 44
  nac-settings none
  address-pools value VPN4TEST-xxx
  webvpn
    svc modules value vpngina
    svc profiles value KLM-SSL-VPN-VPN4TEST
  tunnel-group VPN4TEST-VPN type remote-access
  tunnel-group VPN4TEST-VPN general-attributes
  address-pool VPN4TEST-xxx
  authentication-server-group RSA-7-Authent
  default-group-policy VPN4TEST-Policy
  tunnel-group VPN4TEST-VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN4TEST-ANYCONNECT enable

  Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

• 802.1x mac based authentication

  We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

  Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
  The 2 options would be standard port security or 802.1x port security if you switches support this.
  In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
  You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
  standard port base security by MAC:
  http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
  802.1x port based security:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

• How to get a computer based certificate on ipad

  Hi all,
  As the search function keeps loading i will ask here.
  I need a way to get computer based certificates on ipads in order to grant the ipad a VPN connection.
  I already got  it working with a computer based certificate of a laptop, but of course i need certificates that are bound to the ipad.
  Maybe this is more Microsoft related, but is there a way for a user to obtain a certificate from <URL of PKI>/certsrv that automatically assigns a unique (host)name to the certificate? Or is it possible to open that website on the Ipad and obtain a certificate from there?
  i saw an article (http://mobilitydojo.net/2012/01/31/certsrv-vs-mobile-devices/) where they had to do alot of tweaking to get the site working. That is not what we want. But maybe its working on the current version of the Ipad?
  Thanks!

  Well, it's been over two years since I wrote that article and it was obviously on an older version of iOS. So, I decided to take a new stab at it.
  Unfortunately it seems it's still not supported on iOS to use the keygen tag. (It is an HTML5 tag so it's nothing "special" in that sense.
  The "hacks" performed to do this are slightly hackish, that's true, and that is a Microsoft thing There are however other approaches you can take for interfacing with certsrv as well, so if modifying the original certsrv isn't your style you can code up something that will do the request for you (an intelligent proxy if you will). But as long as iOS doesn't play along it doesn't really help.
  The weird thing is that the docs state that it's been supported since iOS 1.0, but I can't find anyone who has gotten it to work. Typo in docs, or bug?
  I don't know if you're using MDM, or you would be ok with deploying through iPhone Configuration Utility, but have you considered if SCEP is an option for getting certs to the devices?

• L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates

  I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect.
  I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with WindowsXP. The certificates have "subjectAltName=" key/value pairs assigned to the IP address of the VPN server.
  Once generated I import the certificates into OS X (you have to run KeyChain Access with "sudo" from the console to get this to work). The certificate authority seems to be ok, the CA has been added to the x509Roots, and when I examine the machine certificate for my OS X install using KeyChain Access the certificate is marked valid.
  I generated the hash link for the certificate:
  ln -s /etc/racoon/certs/certname.pem /etc/racoon/certs/'openssl x509 -noout -in certname.pem'.0
  From the console I run '
  openssl verify certname.pem
  It fails unless I specify '-CAPath /etc/racoon/certs', then it passes.
  When Internet Connect is setup to use the certificates I can see in the OpenS/WAN logs that the OS X box connects and negotiates IPSEC to MAIN_3. At this point pluto logs the following:
  ignoring informational payload, type INVALIDCERTAUTHORITY
  This repeats for several re-tries before the OS X side gives up. No useful logging is generated on the OS X side for me to debug, and everything from the OpenS/WAN side seems to be kosher, it appears to be an oakley/racoon issue with validating the machine certificate provided by OpenS/WAN to the OS X side, with the OS X side unable to verify the certificate.
  Has anyone solved this? Any ideas on how to improve the logging output from OS X so I can see what racoon/oakley is carping about in the certificate files it is using?

  I'm having the same problem. I've got a machine cert on my Mac OS 10.4.6 client that was issued by my Win2003 CA. When I try and connect, it just hangs and then dies. In the Security Logs on the 2003 L2TP server, I even see a successful IKE negotiation (MS Event ID 541 and 543 below).
  EventID 541:
  IKE security association established.
  Mode:
  Key Exchange Mode (Main Mode)
  Peer Identity:
  Certificate based Identity.
  Peer Subject C=US, S=City, L=State, O=Company, OU=group, CN=machine.subdomain.company.com, E=[email protected]
  Peer SHA Thumbprint peerthumbrint
  Peer Issuing Certificate Authority O=company.com, CN=Certificate Authority
  Root Certificate Authority O=company.com, CN=Certificate Authority
  My Subject CN=server.subdomain.company.com
  My SHA Thumbprint mythumbrint
  Peer IP Address: x.x.x.x
  Filter:
  Source IP Address x.x.x.x
  Source IP Address Mask 255.255.255.255
  Destination IP Address x.x.x.x
  Destination IP Address Mask 255.255.255.255
  Protocol 0
  Source Port 0
  Destination Port 0
  IKE Local Addr x.x.x.x
  IKE Peer Addr x.x.x.x
  IKE Source Port 500
  IKE Destination Port 500
  Peer Private Addr
  Parameters:
  ESP Algorithm Triple DES CBC
  HMAC Algorithm SHA
  Lifetime (sec) 3600
  MM delta time (sec) 1
  EventID 543:
  IKE security association ended.
  Mode: Key Exchange (Main mode)
  Filter:
  Source IP Address X.X.X.X
  Source IP Address Mask 255.255.255.255
  Destination IP Address X.X.X.X
  Destination IP Address Mask 255.255.255.255
  Protocol 0
  Source Port 0
  Destination Port 0
  IKE Local Addr X.X.X.X
  IKE Peer Addr X.X.X.X
  IKE Source Port 500
  IKE Destination Port 500
  Peer Private Addr
  At least give me a some methods to debug with.

• Certificate-Based Client authentication slowness (DSEE 6.3.1)?

  I seem to be seeing very slow operations involving certain certificate-based client interactions.
  I have a user with an application that connects via LDAPS (port 636), does an anonymous bind, and then binds as a specific user. This application is written using .Net (System.DirectoryServices.Protocols library) and housed on an IIS web server that has a certificate signed by Equifax.
  The application performs relatively quickly (operations take an elapsed time of less than 1 second) if:
  1. "Client Authentication" is set to "Allow Certificate-Based Client authentication" and there is no Equifax CA cert in the list of CA Certificates.
  or 2. "Client Authentication" is set to "Do Not Allow Certificate-BAsed Client authentication".
  If I have "Allow Certificate-Based Client authentication" and the Equifax CA cert installed, all operations by the application succeed but show an elapsed time of about 13-14 seconds.
  The Equifax CA cert should be trusted (certutil shows flags: CT,, )
  Has anyone seen anything like this? I've not been able to successfully figure out how to get additional logging RE: the certificate exchange other than grabbing the raw data from ssltap (which I'm not sure I correctly understand). I turned up the infolog levels to include connection managment and packets, but that didn't provide what I was looking for.
  Additional troubleshooting info:
  dsadm -V[dsadm]
  dsadm : 6.3.1 B2008.1121.0308 NAT
  [slapd 32-bit]
  Sun Microsystems, Inc.
  Sun-Java(tm)-System-Directory/6.3.1_RME_6915746 B2010.0112.1626 32-bit
  ns-slapd : 6.3.1 B2008.1121.0308 NAT
  Slapd Library : 6.3.1_RME_6915746 B2010.0112.1626
  Front-End Library : 6.3.1 B2008.1121.0308
  [slapd 64-bit]
  Sun Microsystems, Inc.
  Sun-Java(tm)-System-Directory/6.3.1_RME_6915746 B2010.0112.1631 64-bit
  ns-slapd : 6.3.1 B2008.1121.0308 NAT
  Slapd Library : 6.3.1_RME_6915746 B2010.0112.1631
  Front-End Library : 6.3.1 B2008.1121.0308

  The only thing I can think of off the top of my head is if the server is doing a callout to an external site for something like a CRL. Even though the traffic is encrypted, you should be able to see something like that in a packet trace even so.