Authentication WLC
Hello
can experts advice to integrate Wireless LAN Controller with Active Directory 2008 R2 for authentication which is better option ACS or ISE
appreciate some detailed comparision and future benefits selecting either (eol,eos,price....etc )
cheers
Vishal
Hello
thanks for feedback
how do i size the ACS appliance, any suggestion
my mission - all wireless user get authenticated using windows AD account
do i need separate license on WLC to integrate ACS as authentication server
in terms of integrating ACS with WLC and Windows AD 2008 is it straight forward, what access i need to get from microsoft windows infrastructure team
cheers
Vishal
Similar Messages
-
RSA-Token Authentication WLC 5500
I can configure "RSA Secure ID" or "Token" ti authenticate users in a WLAN in the Wireless LAN Controller 5500 series?
That is possible??LeeJohns,
We are testing this type of Authentication our components are:
1.- Wireless LAN Controller 5508
2.- LAP 1141
3.- RSA Authentication Manager 6.1
We are don´t have External Radius serves as Cisco ACS.
We add the Managment IP Address of the WLC into "Radius Client" from the RSA Authentication Manager 6.1.
The configuration of the WLC is:
1.- Security / Radius / Authentication: IP Address of the RSA Authentication Manager.
2.- WLAN / Layer 2 Security : 802.1X / AAA Servers IP Address of the RSA Manager.
Configuration of the RSA Authentication Manager.
1.- RSA Authentication Manager > Add Agent Host > Network Address: Managment IP Address WLC
2.- In the RSA Client enter the same shared key entered in the WLC.
The WLAN show the prompt : Enter Username and Password when the user try to connect to the Wireless Network, the user enter the username/password and the authentication failed.
Is necesary the Radius Server ?
Thanks -
Hello,
I am expieriencing a weird behavior in the WLAN for guest users.
I can create tipical guest users and it redirects me to the sign in web page (there is no web auth server, it's done by the WLC itself) and it works normally. But I am having several domain users getting logged with their domain username and passwords eventhough they are not registered as guestusers.
How can I avoid this situation?
Thanks in advance!Hello,
What you are seeing may be due in fact to the WLAN's usage of the Radius servers from the global list, even if not directly specified under the WLAN's configuration:
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
A very quick test to confirm this would be to uncheck the option "Network User" for all the Radius servers, under
SECURITY > RADIUS > Authentication
WLC 4.2 was not yet allowing to select which method to use to authenticate web auth users (local, Radius, or LDAP).
Starting from later versions such as 6.0 we have further features that allow us to do that (see attached screenshot).
In your case, on the Radius server, you may want to filter Radius access-requests coming from users connecting through the SSID "visitas".
In ACS 4.2 for example, this can be done through NAPs:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1128143
In the Radius access-request, the WLC is including the following attributes (among others):
Called-Station-Id: this should come in the form of "WLC mac:BSSID:SSID name)
Airespace-WLAN-Id: this is the index of the WLAN through which the user is connecting
So you could build a NAP in ACS that checks whether the Radius attribute Airespace-WLAN-Id has the same index as the "visitas" SSID (or the Called-Station-Id contains the string "visitas") and, if so, fail the authentication.
Hope this helps,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
'Could not find user' with EAP-TLS in ACS
Hi all,
we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
Sometimes machine authentications fail with following message in AUTH.log:
AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
Thanks
KaiAUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
You might need to check the log on AD side to see why it could not find this host.
Comparing the logs between the working and non-working cases might be helpful. -
Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)
Hello,
I have configured a Guest SSID with web authentication (captive portal).
wlan XXXXXXX 2 Guest
aaa-override
client vlan YYYYYYYYY
no exclusionlist
ip access-group ACL-Usuarios-WIFI
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
mobility anchor 10.181.8.219
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth parameter-map global
session-timeout 65535
no shutdown
The configuration of webauth parameter map is :
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
redirect on-success http://www.google.es
I need to login on web authentication on HTTP instead of HTTPS.
If I login on HTTP, I will not receive certificate alerts that prevent the users connections.
I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
Web Authentication on HTTP Instead of HTTPS
You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
Thanks in advance.
Regards.The documentation doesn't provide very clear direction, does it?
To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page. -
Problem with certificate authentication at wlc 4402
Hi,
we have a problem to get a connection from the client to the WLC.
we are using Cisco Aironet 1130 AG and a Cisco 4402 WLC in our network. The certificate service is installed on a Windows 2008 R2 server. We use a standalone Root CA with a Enterprise Sub CA hierarchy. Issueing certificates to clients works fine. The vendor and ca certificates are installed on the WLC and the user have his user certificate. During implementation we used following document: "http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#wlc". Instead of Anonymous Bind, we use a service user to read in AD (works fine, too).
We use the Intel/PRO wireless utility on our Testclient and configured it for EAP-FAST and TLS. We can select the installed certificate in the utility, but when we try to connect, the utility throw the message: "Authentication failed due to an invalid certificate".
We´ve logged the WLC and thats a part of the logfile (i´ve greyed out all enterprise data):
*EAP Framework: Jan 18 12:08:21.921: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
*LDAP DB Task 1: Jan 18 12:08:21.921: ldapTask [1] received msg 'REQUEST' (2) in state 'IDLE' (1)
*LDAP DB Task 1: Jan 18 12:08:21.922: LDAP server 1 changed state to INIT
*LDAP DB Task 1: Jan 18 12:08:21.922: LDAP_OPT_REFERRALS = -1*LDAP DB Task 1: Jan 18 12:08:21.925: LDAP_CLIENT: UID Search (...)))
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: ldap_search_ext_s returns 0 85
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned 2 msgs including 0 references
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned msg 1 type 0x64
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Received 1 attributes in search entry msg
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Returned msg 2 type 0x65
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : No matched DN
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : Check result error 0 rc 1013
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Received no referrals in search result msg
*LDAP DB Task 1: Jan 18 12:08:21.927: ldapAuthRequest [1] called lcapi_query base="..." (rc = 0 - Success)
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP ATTR> dn = CN=... (size 76)
*LDAP DB Task 1: Jan 18 12:08:21.927: Handling LDAP response Success
*LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc [Response] Client requested no retries for mobile 18:3D:A2:0A:EC:BC
*LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc Returning AAA Success for mobile 18:3d:a2:0a:ec:bc
*LDAP DB Task 1: Jan 18 12:08:21.927: AuthorizationResponse: 0x33a5affc*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: Found context matching MAC address - 319
*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: (EAP:319) User credential callback invoked
*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find password in credentials. Skipped
*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find wlan in credentials. Skipped
*LDAP DB Task 1: Jan 18 12:08:21.928: Authenticated bind : Closing the binded session*LDAP DB Task 1: Jan 18 12:08:21.928: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Jan 18 12:08:21.929: LDAP server 1 changed state to IDLE
*EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Received event 'EAP_LL_REPLY' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Using credential profile name: ...(0x78000041)
*EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Maximum EAP packet size: 1000
*EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Sending method new context directive for EAP context 0x78000041
*EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Sending method directive 'New Context' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.930: eap_fast.c-EVENT: New context (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:21.931: id_manager.c-AUTH-SM: Got new ID f700000e - id_get
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c-EVENT: Allocated new EAP-FAST context (handle = 0xF700000E)
*EAP Framework: Jan 18 12:08:21.931: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:21.931: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Received Identity
*EAP Framework: Jan 18 12:08:21.931: eap_fast_tlv.c-AUTH-EVENT: Adding PAC A-ID TLV (436973636f0000000000000000000000)
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Sending Start
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-SM: Changing state: Reset -> Start
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c:138: Version: 1 Flags:S Length:0x0014
*EAP Framework: Jan 18 12:08:21.931: eap_core.c:1422: Payload: 00040010436973636F00000000000000 ...
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:21.931: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x001a Type:FAST
*EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422: Payload: 2100040010436973636F000000000000 ...
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:21.932: eap_core.c:1484: Code:REQUEST ID:0x 2 Length:0x001a Type:FAST
*EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422: Payload: 2100040010436973636F000000000000 ...
*EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:21.932: AuthorizationResponse: 0x13c713fc*EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 1a
*EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 2) to EAP subsys
*EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.291: eap_core.c:1484: Code:RESPONSE ID:0x 2 Length:0x0042 Type:FAST
*EAP Framework: Jan 18 12:08:22.291: eap_core.c:1422: Payload: 810000003816030100330100002F0301 ...
*EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.292: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
*EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-RX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.292: eap_core.c:1484: Code:RESPONSE ID:0x 2 Length:0x0042 Type:FAST
*EAP Framework: Jan 18 12:08:22.292: eap_core.c:1422: Payload: 810000003816030100330100002F0301 ...
*EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Received TLS record type: Handshake in state: Start
*EAP
Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending lower layer event
'EAP_GET_CREDENTIAL_PROFILE_FROM_PROFILE_NAME' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.292: LOCAL_AUTH: Found matching context for id - 319
*EAP
Framework: Jan 18 12:08:22.292: LOCAL_AUTH: (EAP:319) Returning profile
*EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - New session 0x335ee108 started (TP = 'vendor')
*EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - Trustpoint identity (cert) set to 'Vendor'
*EAP
Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Subject : ...
*EAP Framework: Jan 18
12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Issuer : ...
*EAP Framework: Jan 18
12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Valid from '2012 Jan 12th,
17:06:50 GMT' to '2016 Jan 11th, 17:06:50 GMT'
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Is not a CA cert
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: Added cert (type 1) to chain (1 present on chain)
*EAP
Framework: Jan 18 12:08:22.300: IOS_PKI_SHIM: [CA-CERT] Subject :
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Issuer : CN=...
*EAP
Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Valid from
'2012 Jan 12th, 16:54:49 GMT' to '2020 Jan 12th, 17:04:49 GMT'
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Is a CA cert
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: Added cert (type 2) to chain (2 present on chain)
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [StartSession] - Getting older style priv key
*EAP Framework: Jan 18 12:08:22.338: IOS_PKI_SHIM: Session 0x335ee108 init'd OK
*EAP Framework: Jan 18 12:08:22.338: eap_fast_auth.c-AUTH-EVENT: Local certificate found
*EAP Framework: Jan 18 12:08:22.339: eap_fast_auth.c-AUTH-EVENT: Reading Client Hello handshake
*EAP Framework: Jan 18 12:08:22.339: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.339: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0033
*EAP Framework: Jan 18 12:08:22.339: eap_core.c:1422: Payload: 0100002F03014F16A8262631FC9DC042 ...
*EAP Framework: Jan 18 12:08:22.340: eap_fast.c:202: Handshake type:Client Hello Length:0x002F
*EAP Framework: Jan 18 12:08:22.340: eap_core.c:1422: Payload: 03014F16A8262631FC9DC042253D3E24 ...
*EAP Framework: Jan 18 12:08:22.340: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_AES_128 proposed...
*EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA proposed...
*EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_RC4_128 proposed...
*EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DH_anon_WITH_AES_128_CBC_SHA proposed...
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: Proposed ciphersuite(s):
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: TLS_RSA_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: TLS_RSA_WITH_RC4_128_SHA
*EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: TLS_DH_anon_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: Selected ciphersuite:
*EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.343: eap_fast_auth.c-AUTH-EVENT: Building Provisioning Server Hello
*EAP Framework: Jan 18 12:08:22.344: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.344: eap_fast.c:255: Content:Handshake Version:0301 Length:0x002A
*EAP Framework: Jan 18 12:08:22.344: eap_core.c:1422: Payload: 0200002603015F3325EADF12E6296F91 ...
*EAP Framework: Jan 18 12:08:22.344: eap_fast.c:202: Handshake type:Server Hello Length:0x0026
*EAP Framework: Jan 18 12:08:22.345: eap_core.c:1422: Payload: 03015F3325EADF12E6296F91530FE67F ...
*EAP Framework: Jan 18 12:08:22.345: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.345: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0B54
*EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422: Payload: 0B000B50000B4D00059F3082059B3082 ...
*EAP Framework: Jan 18 12:08:22.346: eap_fast.c:202: Handshake type:Certificate Length:0x0B50
*EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422: Payload: 000B4D00059F3082059B30820483A003 ...
*EAP Framework: Jan 18 12:08:22.347: eap_fast_crypto.c-EVENT: Starting Diffie Hellman phase 1 ...
*EAP Framework: Jan 18 12:08:22.661: eap_fast_crypto.c-EVENT: Diffie Hellman phase 1 complete
*EAP Framework: Jan 18 12:08:22.677: IOS_PKI_SHIM: PKI_SignMessage PostHashEncrypt ret SUCCESS.. op_len 128
*EAP Framework: Jan 18 12:08:22.678: eap_fast_auth.c-AUTH-EVENT: DH signature length = 128
*EAP Framework: Jan 18 12:08:22.678: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.678: eap_fast.c:255: Content:Handshake Version:0301 Length:0x028D
*EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422: Payload: 0C0002890100FFFFFFFFFFFFFFFFC90F ...
*EAP Framework: Jan 18 12:08:22.679: eap_fast.c:202: Handshake type:Server Key Exchange Length:0x0289
*EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422: Payload: 0100FFFFFFFFFFFFFFFFC90FDAA22168 ...
*EAP Framework: Jan 18 12:08:22.679: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.680: eap_fast.c:255: Content:Handshake Version:0301 Length:0x000B
*EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422: Payload: 0D00000704030401020000
*EAP Framework: Jan 18 12:08:22.680: eap_fast.c:202: Handshake type:Certificate Request Length:0x0007
*EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422: Payload: 04030401020000
*EAP Framework: Jan 18 12:08:22.681: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.681: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0004
*EAP Framework: Jan 18 12:08:22.681: eap_core.c:1422: Payload: 0E000000
*EAP Framework: Jan 18 12:08:22.681: eap_fast.c:202: Handshake type:Server Done Length:0x0000
*EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-EVENT: Sending Provisioning Serving Hello
*EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-SM: Changing state: Start -> Sent provisioning Server Hello
*EAP Framework: Jan 18 12:08:22.682: eap_fast.c-EVENT: Tx packet fragmentation required
*EAP Framework: Jan 18 12:08:22.683: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.683: eap_fast.c:138: Version: 1 Flags:LM Length:0x03DE
*EAP Framework: Jan 18 12:08:22.683: eap_core.c:1422: Payload: 160301002A0200002603015F3325EADF ...
*EAP Framework: Jan 18 12:08:22.684: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.684: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.684: eap_core.c:1422: Payload: C100000E33160301002A020000260301 ...
*EAP Framework: Jan 18 12:08:22.684: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.685: eap_core.c:1484: Code:REQUEST ID:0x 3 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.686: eap_core.c:1422: Payload: C100000E33160301002A020000260301 ...
*EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.686: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.687: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.687: AuthorizationResponse: 0x13c713fc*EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 297
*EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 6) to EAP subsys
*EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.831: eap_core.c:1484: Code:RESPONSE ID:0x 6 Length:0x015c Type:FAST
*EAP Framework: Jan 18 12:08:22.831: eap_core.c:1422: Payload: 810000015216030100070B0000030000 ...
*EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.832: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-RX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1484: Code:RESPONSE ID:0x 6 Length:0x015c Type:FAST
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422: Payload: 810000015216030100070B0000030000 ...
*EAP
Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Received
TLS record type: Handshake in state: Sent provisioning Server Hello
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Reading Client Certificate handshake
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0007
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422: Payload: 0B000003000000
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c:202: Handshake type:Certificate Length:0x0003
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422: Payload: 000000
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c-EVENT: Client Certificate handshake empty
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-EVENT: Rx'd I-ID: "EAP-FAST I-ID" from Peer Cert
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-ERROR: Required cert not provided by client
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:255: Content:Alert Version:0301 Length:0x0002
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422: Payload: 0228
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-SM: Changing state: Sent provisioning Server Hello -> Alert
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:138: Version: 1 Flags:L Length:0x0007
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422: Payload: 15030100020228
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x0011 Type:FAST
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422: Payload: 810000000715030100020228
*EAP Framework: Jan 18 12:08:22.833: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: EAP method decision: Fail
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.834: eap_core.c:1484: Code:REQUEST ID:0x 7 Length:0x0011 Type:FAST
*EAP Framework: Jan 18 12:08:22.834: eap_core.c:1422: Payload: 810000000715030100020228
*EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.834: AuthorizationResponse: 0x13c713fc
We think that the reason why it didn´t work, is the part:
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c-EVENT: Client Certificate handshake empty
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-EVENT: Rx'd I-ID: "EAP-FAST I-ID" from Peer Cert
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-ERROR: Required cert not provided by client
But we aren´t sure.
Maybe anyone can help us. Many thanks in advance.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.01.18 12:08:18 =~=~=~=~=~=~=~=~=~=~=~=
debug aaa all disable debug aaa all enable(Cisco Controller) >*Dot1x_NW_MsgTask_0: Jan 18 12:08:21.917: 18:3d:a2:0a:ec:bc Audit Session ID added to the mscb: 0a63081e000000994f16a825
*Dot1x_NW_MsgTask_0: Jan 18 12:08:21.917: Creating audit session ID (dot1x_aaa_eapresp_supp) and Radius Request
*aaaQueueReader: Jan 18 12:08:21.917: AuthenticationRequest: 0x30b52e90
*aaaQueueReader: Jan 18 12:08:21.917: Callback.....................................0x10b7803c*aaaQueueReader: Jan 18 12:08:21.917: protocolType.................................0x00140001*aaaQueueReader: Jan 18 12:08:21.917: proxyState...................................18:3D:A2:0A:EC:BC-02:00*aaaQueueReader: Jan 18 12:08:21.917: Packet contains 16 AVPs (not shown)*aaaQueueReader: Jan 18 12:08:21.917: 18:3d:a2:0a:ec:bc [Error] Client requested no retries for mobile 18:3D:A2:0A:EC:BC
*aaaQueueReader: Jan 18 12:08:21.918: 18:3d:a2:0a:ec:bc Returning AAA Error 'No Server' (-7) for mobile 18:3d:a2:0a:ec:bc
*aaaQueueReader: Jan 18 12:08:21.918: AuthorizationResponse: 0x3e04bd08
*aaaQueueReader: Jan 18 12:08:21.918: structureSize................................32*aaaQueueReader: Jan 18 12:08:21.918: resultCode...................................-7*aaaQueueReader: Jan 18 12:08:21.918: protocolUsed.................................0xffffffff*aaaQueueReader: Jan 18 12:08:21.918: proxyState...................................18:3D:A2:0A:EC:BC-02:00*aaaQueueReader: Jan 18 12:08:21.918: Packet contains 0 AVPs:*aaaQueueReader: Jan 18 12:08:21.918: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:21.918: LOCAL_AUTH: Creating new context
*aaaQueueReader: Jan 18 12:08:21.918: EAP-EVENT: Received context create from lower layer (0x0000013F)
*aaaQueueReader: Jan 18 12:08:21.918: id_manager.c-AUTH-SM: Got new ID 78000041 - id_get
*aaaQueueReader: Jan 18 12:08:21.918: EAP-EVENT: Received credential profile name: "(null)" from LL
*aaaQueueReader: Jan 18 12:08:21.918: EAP-EVENT: Allocated new EAP context (handle = 0x78000041)
*aaaQueueReader: Jan 18 12:08:21.919: LOCAL_AUTH: Created new context eap session handle 78000041
*aaaQueueReader: Jan 18 12:08:21.919: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 1) to EAP subsys
*EAP Framework: Jan 18 12:08:21.919: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:21.920: eap_core.c:1484: Code:RESPONSE ID:0x 1 Length:0x002b Type:IDENTITY
*EAP Framework: Jan 18 12:08:21.920: eap_core.c:1422: Payload: 416E6472652E54736368656E74736368 ...
*EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-EVENT: EAP Response type = Identity
*EAP Framework: Jan 18 12:08:21.920: EAP-AUTH-EVENT: Received peer identity: [email protected]
*EAP Framework: Jan 18 12:08:21.920: EAP-EVENT: Sending lower layer event 'EAP_GET_CREDENTIAL_PROFILE_FROM_USERNAME' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.920: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:21.921: LOCAL_AUTH: (EAP) Sending user credential request username '[email protected]' to LDAP
*aaaQueueReader: Jan 18 12:08:21.921: AuthenticationRequest: 0x33a6ae18
*aaaQueueReader: Jan 18 12:08:21.921: Callback.....................................0x10765234*aaaQueueReader: Jan 18 12:08:21.921: protocolType.................................0x00100002*aaaQueueReader: Jan 18 12:08:21.921: proxyState...................................18:3D:A2:0A:EC:BC-00:00*aaaQueueReader: Jan 18 12:08:21.921: Packet contains 2 AVPs (not shown)*EAP Framework: Jan 18 12:08:21.921: EAP-AUTH-EVENT: Waiting for asynchronous reply from LL
*LDAP DB Task 1: Jan 18 12:08:21.921: ldapTask [1] received msg 'REQUEST' (2) in state 'IDLE' (1)
*LDAP DB Task 1: Jan 18 12:08:21.922: LDAP server 1 changed state to INIT
*LDAP DB Task 1: Jan 18 12:08:21.922: LDAP_OPT_REFERRALS = -1*LDAP DB Task 1: Jan 18 12:08:21.922: ldapInitAndBind [1] called lcapi_init (rc = 0 - Success)
*LDAP DB Task 1: Jan 18 12:08:21.925: ldapInitAndBind [1] configured Method Authenticated lcapi_bind (rc = 0 - Success)
*LDAP DB Task 1: Jan 18 12:08:21.925: LDAP server 1 changed state to CONNECTED
*LDAP DB Task 1: Jan 18 12:08:21.925: disabled LDAP_OPT_REFERRALS*LDAP DB Task 1: Jan 18 12:08:21.925: LDAP_CLIENT: UID Search (base=DC=group,DC=jenoptik,DC=corp, pattern=(&(objectclass=Person)([email protected])))
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: ldap_search_ext_s returns 0 85
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned 2 msgs including 0 references
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Returned msg 1 type 0x64
*LDAP DB Task 1: Jan 18 12:08:21.926: LDAP_CLIENT: Received 1 attributes in search entry msg
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Returned msg 2 type 0x65
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : No matched DN
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT : Check result error 0 rc 1013
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP_CLIENT: Received no referrals in search result msg
*LDAP DB Task 1: Jan 18 12:08:21.927: ldapAuthRequest [1] called lcapi_query base="DC=group,DC=jenoptik,DC=corp" type="Person" attr="userPrincipalName" user="[email protected]" (rc = 0 - Success)
*LDAP DB Task 1: Jan 18 12:08:21.927: LDAP ATTR> dn = CN=Tschentscher\, Andre,OU=Users,OU=SSC,OU=JOAG,DC=group,DC=jenoptik,DC=corp (size 76)
*LDAP DB Task 1: Jan 18 12:08:21.927: Handling LDAP response Success
*LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc [Response] Client requested no retries for mobile 18:3D:A2:0A:EC:BC
*LDAP DB Task 1: Jan 18 12:08:21.927: 18:3d:a2:0a:ec:bc Returning AAA Success for mobile 18:3d:a2:0a:ec:bc
*LDAP DB Task 1: Jan 18 12:08:21.927: AuthorizationResponse: 0x33a5affc
*LDAP DB Task 1: Jan 18 12:08:21.927: structureSize................................180*LDAP DB Task 1: Jan 18 12:08:21.927: resultCode...................................0*LDAP DB Task 1: Jan 18 12:08:21.927: protocolUsed.................................0x00000002*LDAP DB Task 1: Jan 18 12:08:21.927: proxyState...................................18:3D:A2:0A:EC:BC-00:00*LDAP DB Task 1: Jan 18 12:08:21.928: Packet contains 2 AVPs:*LDAP DB Task 1: Jan 18 12:08:21.928: AVP[01] Unknown Attribute 0......................CN=Tschentscher\, Andre,OU=Users,OU=SSC,OU=JOAG,DC=group,DC=jenoptik,DC=corp (76 bytes)*LDAP DB Task 1: Jan 18 12:08:21.928: AVP[02] User-Name................................Andre.Tschentscher@group.jenoptik.corp (38 bytes)*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: Found context matching MAC address - 319
*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: (EAP:319) User credential callback invoked
*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find password in credentials. Skipped
*LDAP DB Task 1: Jan 18 12:08:21.928: LOCAL_AUTH: EAP Unable to find wlan in credentials. Skipped
*LDAP DB Task 1: Jan 18 12:08:21.928: Authenticated bind : Closing the binded session*LDAP DB Task 1: Jan 18 12:08:21.928: ldapClose [1] called lcapi_close (rc = 0 - Success)
*LDAP DB Task 1: Jan 18 12:08:21.929: LDAP server 1 changed state to IDLE
*EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Received event 'EAP_LL_REPLY' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Using credential profile name: [email protected] (0x78000041)
*EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Maximum EAP packet size: 1000
*EAP Framework: Jan 18 12:08:21.930: EAP-AUTH-EVENT: Sending method new context directive for EAP context 0x78000041
*EAP Framework: Jan 18 12:08:21.930: EAP-EVENT: Sending method directive 'New Context' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.930: eap_fast.c-EVENT: New context (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:21.931: id_manager.c-AUTH-SM: Got new ID f700000e - id_get
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c-EVENT: Allocated new EAP-FAST context (handle = 0xF700000E)
*EAP Framework: Jan 18 12:08:21.931: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:21.931: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Received Identity
*EAP Framework: Jan 18 12:08:21.931: eap_fast_tlv.c-AUTH-EVENT: Adding PAC A-ID TLV (436973636f0000000000000000000000)
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-EVENT: Sending Start
*EAP Framework: Jan 18 12:08:21.931: eap_fast_auth.c-AUTH-SM: Changing state: Reset -> Start
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c:138: Version: 1 Flags:S Length:0x0014
*EAP Framework: Jan 18 12:08:21.931: eap_core.c:1422: Payload: 00040010436973636F00000000000000 ...
*EAP Framework: Jan 18 12:08:21.931: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:21.931: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x001a Type:FAST
*EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422: Payload: 2100040010436973636F000000000000 ...
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:21.932: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:21.932: eap_core.c:1484: Code:REQUEST ID:0x 2 Length:0x001a Type:FAST
*EAP Framework: Jan 18 12:08:21.932: eap_core.c:1422: Payload: 2100040010436973636F000000000000 ...
*EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:21.932: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:21.932: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:21.932: AuthorizationResponse: 0x13c713fc
*EAP Framework: Jan 18 12:08:21.933: structureSize................................74*EAP Framework: Jan 18 12:08:21.933: resultCode...................................255*EAP Framework: Jan 18 12:08:21.933: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:21.933: proxyState...................................18:3D:A2:0A:EC:BC-02:00*EAP Framework: Jan 18 12:08:21.934: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 1a
*EAP Framework: Jan 18 12:08:21.934: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.290: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 2) to EAP subsys
*EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.291: eap_core.c:1484: Code:RESPONSE ID:0x 2 Length:0x0042 Type:FAST
*EAP Framework: Jan 18 12:08:22.291: eap_core.c:1422: Payload: 810000003816030100330100002F0301 ...
*EAP Framework: Jan 18 12:08:22.291: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.291: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.292: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
*EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-RX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.292: eap_core.c:1484: Code:RESPONSE ID:0x 2 Length:0x0042 Type:FAST
*EAP Framework: Jan 18 12:08:22.292: eap_core.c:1422: Payload: 810000003816030100330100002F0301 ...
*EAP Framework: Jan 18 12:08:22.292: eap_fast_auth.c-AUTH-EVENT: Received TLS record type: Handshake in state: Start
*EAP Framework: Jan 18 12:08:22.292: EAP-EVENT: Sending lower layer event 'EAP_GET_CREDENTIAL_PROFILE_FROM_PROFILE_NAME' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.292: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.292: LOCAL_AUTH: (EAP:319) Returning profile '[email protected]' (username '[email protected]')
*EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - New session 0x335ee108 started (TP = 'vendor')
*EAP Framework: Jan 18 12:08:22.293: IOS_PKI_SHIM: [StartSession] - Trustpoint identity (cert) set to 'Vendor'
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Subject : C=DE, ST=Thuringia, L=Jena, O=Jenoptik AG, OU=Jenoptik SSC GmbH, CN=Cisco WLC 1st, [email protected]
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Issuer : DC=corp, DC=jenoptik, CN=Jenoptik WLAN Certificate Authority
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Valid from '2012 Jan 12th, 17:06:50 GMT' to '2016 Jan 11th, 17:06:50 GMT'
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: [ID-CERT] Is not a CA cert
*EAP Framework: Jan 18 12:08:22.297: IOS_PKI_SHIM: Added cert (type 1) to chain (1 present on chain)
*EAP Framework: Jan 18 12:08:22.300: IOS_PKI_SHIM: [CA-CERT] Subject : DC=corp, DC=jenoptik, CN=Jenoptik WLAN Certificate Authority
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Issuer : CN=Jenoptik Certificate Authority
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Valid from '2012 Jan 12th, 16:54:49 GMT' to '2020 Jan 12th, 17:04:49 GMT'
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [CA-CERT] Is a CA cert
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: Added cert (type 2) to chain (2 present on chain)
*EAP Framework: Jan 18 12:08:22.301: IOS_PKI_SHIM: [StartSession] - Getting older style priv key
*EAP Framework: Jan 18 12:08:22.338: IOS_PKI_SHIM: Session 0x335ee108 init'd OK
*EAP Framework: Jan 18 12:08:22.338: eap_fast_auth.c-AUTH-EVENT: Local certificate found
*EAP Framework: Jan 18 12:08:22.339: eap_fast_auth.c-AUTH-EVENT: Reading Client Hello handshake
*EAP Framework: Jan 18 12:08:22.339: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.339: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0033
*EAP Framework: Jan 18 12:08:22.339: eap_core.c:1422: Payload: 0100002F03014F16A8262631FC9DC042 ...
*EAP Framework: Jan 18 12:08:22.340: eap_fast.c:202: Handshake type:Client Hello Length:0x002F
*EAP Framework: Jan 18 12:08:22.340: eap_core.c:1422: Payload: 03014F16A8262631FC9DC042253D3E24 ...
*EAP Framework: Jan 18 12:08:22.340: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_AES_128 proposed...
*EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA proposed...
*EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_RSA_WITH_RC4_128 proposed...
*EAP Framework: Jan 18 12:08:22.341: eap_fast_auth.c-AUTH-EVENT: TLS_DH_anon_WITH_AES_128_CBC_SHA proposed...
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: Proposed ciphersuite(s):
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: TLS_RSA_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.342: eap_fast.c-EVENT: TLS_RSA_WITH_RC4_128_SHA
*EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: TLS_DH_anon_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: Selected ciphersuite:
*EAP Framework: Jan 18 12:08:22.343: eap_fast.c-EVENT: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*EAP Framework: Jan 18 12:08:22.343: eap_fast_auth.c-AUTH-EVENT: Building Provisioning Server Hello
*EAP Framework: Jan 18 12:08:22.344: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.344: eap_fast.c:255: Content:Handshake Version:0301 Length:0x002A
*EAP Framework: Jan 18 12:08:22.344: eap_core.c:1422: Payload: 0200002603015F3325EADF12E6296F91 ...
*EAP Framework: Jan 18 12:08:22.344: eap_fast.c:202: Handshake type:Server Hello Length:0x0026
*EAP Framework: Jan 18 12:08:22.345: eap_core.c:1422: Payload: 03015F3325EADF12E6296F91530FE67F ...
*EAP Framework: Jan 18 12:08:22.345: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.345: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0B54
*EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422: Payload: 0B000B50000B4D00059F3082059B3082 ...
*EAP Framework: Jan 18 12:08:22.346: eap_fast.c:202: Handshake type:Certificate Length:0x0B50
*EAP Framework: Jan 18 12:08:22.346: eap_core.c:1422: Payload: 000B4D00059F3082059B30820483A003 ...
*EAP Framework: Jan 18 12:08:22.347: eap_fast_crypto.c-EVENT: Starting Diffie Hellman phase 1 ...
*EAP Framework: Jan 18 12:08:22.661: eap_fast_crypto.c-EVENT: Diffie Hellman phase 1 complete
*EAP Framework: Jan 18 12:08:22.677: IOS_PKI_SHIM: PKI_SignMessage PostHashEncrypt ret SUCCESS.. op_len 128
*EAP Framework: Jan 18 12:08:22.678: eap_fast_auth.c-AUTH-EVENT: DH signature length = 128
*EAP Framework: Jan 18 12:08:22.678: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.678: eap_fast.c:255: Content:Handshake Version:0301 Length:0x028D
*EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422: Payload: 0C0002890100FFFFFFFFFFFFFFFFC90F ...
*EAP Framework: Jan 18 12:08:22.679: eap_fast.c:202: Handshake type:Server Key Exchange Length:0x0289
*EAP Framework: Jan 18 12:08:22.679: eap_core.c:1422: Payload: 0100FFFFFFFFFFFFFFFFC90FDAA22168 ...
*EAP Framework: Jan 18 12:08:22.679: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.680: eap_fast.c:255: Content:Handshake Version:0301 Length:0x000B
*EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422: Payload: 0D00000704030401020000
*EAP Framework: Jan 18 12:08:22.680: eap_fast.c:202: Handshake type:Certificate Request Length:0x0007
*EAP Framework: Jan 18 12:08:22.680: eap_core.c:1422: Payload: 04030401020000
*EAP Framework: Jan 18 12:08:22.681: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.681: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0004
*EAP Framework: Jan 18 12:08:22.681: eap_core.c:1422: Payload: 0E000000
*EAP Framework: Jan 18 12:08:22.681: eap_fast.c:202: Handshake type:Server Done Length:0x0000
*EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-EVENT: Sending Provisioning Serving Hello
*EAP Framework: Jan 18 12:08:22.682: eap_fast_auth.c-AUTH-SM: Changing state: Start -> Sent provisioning Server Hello
*EAP Framework: Jan 18 12:08:22.682: eap_fast.c-EVENT: Tx packet fragmentation required
*EAP Framework: Jan 18 12:08:22.683: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.683: eap_fast.c:138: Version: 1 Flags:LM Length:0x03DE
*EAP Framework: Jan 18 12:08:22.683: eap_core.c:1422: Payload: 160301002A0200002603015F3325EADF ...
*EAP Framework: Jan 18 12:08:22.684: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.684: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.684: eap_core.c:1422: Payload: C100000E33160301002A020000260301 ...
*EAP Framework: Jan 18 12:08:22.684: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.685: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.685: eap_core.c:1484: Code:REQUEST ID:0x 3 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.686: eap_core.c:1422: Payload: C100000E33160301002A020000260301 ...
*EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.686: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.686: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.687: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.687: AuthorizationResponse: 0x13c713fc
*EAP Framework: Jan 18 12:08:22.687: structureSize................................1048*EAP Framework: Jan 18 12:08:22.687: resultCode...................................255*EAP Framework: Jan 18 12:08:22.687: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.688: proxyState...................................18:3D:A2:0A:EC:BC-02:01*EAP Framework: Jan 18 12:08:22.688: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.688: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 3e8
*EAP Framework: Jan 18 12:08:22.688: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.700: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.701: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.701: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 3) to EAP subsys
*EAP Framework: Jan 18 12:08:22.701: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.701: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.702: eap_core.c:1484: Code:RESPONSE ID:0x 3 Length:0x0006 Type:FAST
*EAP Framework: Jan 18 12:08:22.702: eap_core.c:1422: Payload: 01
*EAP Framework: Jan 18 12:08:22.702: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.703: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.703: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.703: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.704: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.704: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
*EAP Framework: Jan 18 12:08:22.704: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.704: eap_fast.c:138: Version: 1 Flags:M Length:0x03E2
*EAP Framework: Jan 18 12:08:22.705: eap_core.c:1422: Payload: 3A2F2F2F434E3D4A656E6F7074696B25 ...
*EAP Framework: Jan 18 12:08:22.705: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.705: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.705: eap_core.c:1422: Payload: 413A2F2F2F434E3D4A656E6F7074696B ...
*EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.706: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.707: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.707: eap_core.c:1484: Code:REQUEST ID:0x 4 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.707: eap_core.c:1422: Payload: 413A2F2F2F434E3D4A656E6F7074696B ...
*EAP Framework: Jan 18 12:08:22.707: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.708: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.708: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.708: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.708: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.709: AuthorizationResponse: 0x13c713fc
*EAP Framework: Jan 18 12:08:22.709: structureSize................................1048*EAP Framework: Jan 18 12:08:22.709: resultCode...................................255*EAP Framework: Jan 18 12:08:22.709: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.710: proxyState...................................18:3D:A2:0A:EC:BC-02:02*EAP Framework: Jan 18 12:08:22.710: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.710: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 3e8
*EAP Framework: Jan 18 12:08:22.711: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.723: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.723: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.724: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 4) to EAP subsys
*EAP Framework: Jan 18 12:08:22.724: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.725: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.725: eap_core.c:1484: Code:RESPONSE ID:0x 4 Length:0x0006 Type:FAST
*EAP Framework: Jan 18 12:08:22.725: eap_core.c:1422: Payload: 01
*EAP Framework: Jan 18 12:08:22.725: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.726: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.726: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.726: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.726: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.727: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
*EAP Framework: Jan 18 12:08:22.727: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.727: eap_fast.c:138: Version: 1 Flags:M Length:0x03E2
*EAP Framework: Jan 18 12:08:22.728: eap_core.c:1422: Payload: BD84CC4BF49A766267DA94429BEBE087 ...
*EAP Framework: Jan 18 12:08:22.728: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.728: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.728: eap_core.c:1422: Payload: 41BD84CC4BF49A766267DA94429BEBE0 ...
*EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.729: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.730: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.730: eap_core.c:1484: Code:REQUEST ID:0x 5 Length:0x03e8 Type:FAST
*EAP Framework: Jan 18 12:08:22.730: eap_core.c:1422: Payload: 41BD84CC4BF49A766267DA94429BEBE0 ...
*EAP Framework: Jan 18 12:08:22.731: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.731: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.731: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.731: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.732: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.732: AuthorizationResponse: 0x13c713fc
*EAP Framework: Jan 18 12:08:22.732: structureSize................................1048*EAP Framework: Jan 18 12:08:22.732: resultCode...................................255*EAP Framework: Jan 18 12:08:22.733: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.733: proxyState...................................18:3D:A2:0A:EC:BC-02:03*EAP Framework: Jan 18 12:08:22.733: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.734: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 3e8
*EAP Framework: Jan 18 12:08:22.734: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.746: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.747: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.747: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 5) to EAP subsys
*EAP Framework: Jan 18 12:08:22.747: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.747: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.748: eap_core.c:1484: Code:RESPONSE ID:0x 5 Length:0x0006 Type:FAST
*EAP Framework: Jan 18 12:08:22.748: eap_core.c:1422: Payload: 01
*EAP Framework: Jan 18 12:08:22.748: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.749: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.749: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.749: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.750: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.750: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
*EAP Framework: Jan 18 12:08:22.750: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.750: eap_fast.c:138: Version: 1 Flags: Length:0x0291
*EAP Framework: Jan 18 12:08:22.751: eap_core.c:1422: Payload: 34C4C6628B80DC1CD129024E088A67CC ...
*EAP Framework: Jan 18 12:08:22.751: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.751: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x0297 Type:FAST
*EAP Framework: Jan 18 12:08:22.751: eap_core.c:1422: Payload: 0134C4C6628B80DC1CD129024E088A67 ...
*EAP Framework: Jan 18 12:08:22.751: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.751: EAP-AUTH-EVENT: EAP method decision: Unknown
*EAP Framework: Jan 18 12:08:22.752: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.752: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.752: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.752: eap_core.c:1484: Code:REQUEST ID:0x 6 Length:0x0297 Type:FAST
*EAP Framework: Jan 18 12:08:22.752: eap_core.c:1422: Payload: 0134C4C6628B80DC1CD129024E088A67 ...
*EAP Framework: Jan 18 12:08:22.753: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.753: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.753: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.753: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.753: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.754: AuthorizationResponse: 0x13c713fc
*EAP Framework: Jan 18 12:08:22.754: structureSize................................711*EAP Framework: Jan 18 12:08:22.754: resultCode...................................255*EAP Framework: Jan 18 12:08:22.754: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.754: proxyState...................................18:3D:A2:0A:EC:BC-02:04*EAP Framework: Jan 18 12:08:22.754: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 297
*EAP Framework: Jan 18 12:08:22.755: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.830: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 6) to EAP subsys
*EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.831: eap_core.c:1484: Code:RESPONSE ID:0x 6 Length:0x015c Type:FAST
*EAP Framework: Jan 18 12:08:22.831: eap_core.c:1422: Payload: 810000015216030100070B0000030000 ...
*EAP Framework: Jan 18 12:08:22.831: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.831: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.832: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.832: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-RX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1484: Code:RESPONSE ID:0x 6 Length:0x015c Type:FAST
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422: Payload: 810000015216030100070B0000030000 ...
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Received TLS record type: Handshake in state: Sent provisioning Server Hello
*EAP Framework: Jan 18 12:08:22.832: eap_fast_auth.c-AUTH-EVENT: Reading Client Certificate handshake
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c:286: EAP-FAST-AUTH-RX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c:255: Content:Handshake Version:0301 Length:0x0007
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422: Payload: 0B000003000000
*EAP Framework: Jan 18 12:08:22.832: eap_fast.c:202: Handshake type:Certificate Length:0x0003
*EAP Framework: Jan 18 12:08:22.832: eap_core.c:1422: Payload: 000000
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c-EVENT: Client Certificate handshake empty
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-EVENT: Rx'd I-ID: "EAP-FAST I-ID" from Peer Cert
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-ERROR: Required cert not provided by client
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:286: EAP-FAST-AUTH-TX-TLS-RECORD:
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:255: Content:Alert Version:0301 Length:0x0002
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422: Payload: 0228
*EAP Framework: Jan 18 12:08:22.833: eap_fast_auth.c-AUTH-SM: Changing state: Sent provisioning Server Hello -> Alert
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:2367: eap-fast tx packet:
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c:138: Version: 1 Flags:L Length:0x0007
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422: Payload: 15030100020228
*EAP Framework: Jan 18 12:08:22.833: eap_fast.c-TX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1484: Code:REQUEST ID:0x 0 Length:0x0011 Type:FAST
*EAP Framework: Jan 18 12:08:22.833: eap_core.c:1422: Payload: 810000000715030100020228
*EAP Framework: Jan 18 12:08:22.833: EAP-AUTH-EVENT: EAP method state: Continue
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: EAP method decision: Fail
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Current method = 43
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-EVENT: Sending packet to lower layer for context 0x78000041
*EAP Framework: Jan 18 12:08:22.834: EAP-AUTH-TX-PAK:
*EAP Framework: Jan 18 12:08:22.834: eap_core.c:1484: Code:REQUEST ID:0x 7 Length:0x0011 Type:FAST
*EAP Framework: Jan 18 12:08:22.834: eap_core.c:1422: Payload: 810000000715030100020228
*EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started 'Authenticator Retransmit' timer (60) for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Started EAP tick timer
*EAP Framework: Jan 18 12:08:22.834: EAP-EVENT: Sending lower layer event 'EAP_TX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: Found matching context for id - 319
*EAP Framework: Jan 18 12:08:22.834: LOCAL_AUTH: (EAP:319) transmit event
*EAP Framework: Jan 18 12:08:22.834: AuthorizationResponse: 0x13c713fc
*EAP Framework: Jan 18 12:08:22.834: structureSize................................65*EAP Framework: Jan 18 12:08:22.834: resultCode...................................255*EAP Framework: Jan 18 12:08:22.835: protocolUsed.................................0x00000080*EAP Framework: Jan 18 12:08:22.835: proxyState...................................18:3D:A2:0A:EC:BC-02:05*EAP Framework: Jan 18 12:08:22.835: Packet contains 1 AVPs (not shown)*EAP Framework: Jan 18 12:08:22.835: LOCAL_AUTH: AAA LOCAL AUTH EAP PKT AVP attribute 4f length 11
*EAP Framework: Jan 18 12:08:22.835: LOCAL_AUTH: AAA LOCAL AUTH TX PKT DUMP code cc id 00 type 2b
*aaaQueueReader: Jan 18 12:08:22.838: LOCAL_AUTH: EAP: Received an auth request
*aaaQueueReader: Jan 18 12:08:22.838: LOCAL_AUTH: Found context matching MAC address - 319
*aaaQueueReader: Jan 18 12:08:22.838: LOCAL_AUTH: (EAP:319) Sending the Rxd EAP packet (id 7) to EAP subsys
*EAP Framework: Jan 18 12:08:22.838: EAP-EVENT: Received event 'EAP_RX_PACKET' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-RX-PAK:
*EAP Framework: Jan 18 12:08:22.839: eap_core.c:1484: Code:RESPONSE ID:0x 7 Length:0x0006 Type:FAST
*EAP Framework: Jan 18 12:08:22.839: eap_core.c:1422: Payload: 01
*EAP Framework: Jan 18 12:08:22.839: EAP-EVENT: Stopping 'Authenticator Retransmit' timer for EAP session handle 0x78000041
*EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-EVENT: EAP Response received by context 0x78000041
*EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-EVENT: EAP Response type = Method (43)
*EAP Framework: Jan 18 12:08:22.839: EAP-AUTH-EVENT: Sending method data for context 0x78000041
*EAP Framework: Jan 18 12:08:22.839: EAP-EVENT: Sending method directive 'Receive Packet' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.839: eap_fast.c-AUTH-EVENT: eap_fast_rx_packet(): EAP Fast NoData (0x2b)
*EAP Framework: Jan 18 12:08:22.840: eap_fast.c-AUTH-EVENT: Process Response, type: 0x2b
*EAP Framework: Jan 18 12:08:22.840: eap_fast_auth.c-AUTH-EVENT: Process Response (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:22.840: eap_fast_auth.c-RX-AUTH-PAK:
*EAP Framework: Jan 18 12:08:22.840: eap_core.c:1484: Code:RESPONSE ID:0x 7 Length:0x0006 Type:FAST
*EAP Framework: Jan 18 12:08:22.840: eap_core.c:1422: Payload: 01
*EAP Framework: Jan 18 12:08:22.840: eap_fast_auth.c-AUTH-EVENT: Received ACK from peer
*EAP Framework: Jan 18 12:08:22.840: EAP-AUTH-EVENT: EAP method state: Done
*EAP Framework: Jan 18 12:08:22.840: EAP-AUTH-EVENT: EAP method decision: Fail
*EAP Framework: Jan 18 12:08:22.840: EAP-EVENT: Received get canned status from lower layer (0x78000041)
*EAP Framework: Jan 18 12:08:22.840: EAP-EVENT: Sending method directive 'Free Context' on handle 0x78000041
*EAP Framework: Jan 18 12:08:22.840: eap_fast.c-EVENT: Free context (EAP handle = 0x78000041)
*EAP Framework: Jan 18 12:08:22.840: id_manager.c-AUTH-SM: Entry deleted fine id f700000e - id_delete
*EAP Framework: Jan 18 12:08:22.840: IOS_PKI_SHIM: Session 0x335ee108 deleted
*EAP Framework: Jan 18 12:08:2Now we found the reason.
The WLC doesn´t work with the Sub CA respectively with chain certificates for device authentication.
"Support for Chained Certificate
In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).
With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.
Certificate Levels
Level 0—Use of only a server certificate on WLC.
Level 1—Use of server certificate on WLC and a CA root certificate.
Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.
WLC does not support chained certificates more than 10KB size on the WLC.
Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
So the WLC can´t decode the peer certificate. -
WLC, ISE certificate authentication issue
Hi Folks,
This is the setup:
Redundant pair of WLC 5508 (version 7.5.102.0)
Redundant Pair of ISE (Version 1.2.0.899)
The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
A corporate WLAN is configured on the WLC:
L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).
The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself). I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
After I did this, I could no longer associate to the Corp WLAN.
My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.
The ISE troubleshooting tool reported no new failed or successful authentication attempts.
Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE. Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
Thanks in advance,
DarraghHi,
I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
If this does not work, try to import the CA into another system and export it, then import into ISE.
Regards, -
WLC to ISE authentication for Guest
Hi Experts,
Hope if you could guide me with our setup for Guest users. Below is what we are doing
a) Guest connects to SSID
b) WLC is being used to redirect Guest HTTP to WLC internal Portal
c) WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
Appreciate your helpThe first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
Please follow below guide for step by step configuration:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml -
External Authentication 2106 WLC help
Hello,
We have setup a 2160 WLC for external authentication so that we can control the look and feel of the web pages a bit better.
I wanted to better understand how to setup the page to handle errors. I'm trying to determine how the errors get posted back to the external web page.
My understanding is that the form is "POST" to the 1.1.1.1, when it redirects to the external web auth due to an error are the values (error codes, redirect url, etc) appended to the query string?
If they are appeded to the query string...what are the variable names we should be looking for?
Thanks in advanceJosh,
I would recommend reviewing the source within the Web Authentication templates for info on customizable error codes... available on Cisco.com:
Wireless -> WLCs -> Select a model -> Web Authentication Bundle
Best,
Drew
Sent from Cisco Technical Support
iPhone App -
Certificate based authentication with Cisco WLC and Juniper IC
Hi
I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
i have also looked at this article :
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
All your help is appreciated.Hi,
Since you use an external radius server you don't have to worry for this.
The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
The doc you refer is only for Local Radius on WLC.
Hope this helps
Regards,
Christos -
Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921
Hi All,
I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
I confront PEAP and Eap-TLS for now:
1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
can you help me to know if I understood everything good ? I would be please to exchange experience on that
thanks ;)
byeI am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS. -
4400 WLC Layer 3 Authentication Status for WLAN Clients
We have 3 4400 series WLC's(wireless LAN controllers). Two 4404 WLC's are on the "inside" of our network and all AP's (access points) on our network use these two WLC's as the primary or secondary controller. The 4402 WLC Anchor controller resides in our DMZ and is used for WLANs that are more oriented for guest usage. These guest WLANs are configured on the inside controllers also, but are "anchored" to the 4402. On the anchor controller we are using layer 3 Web Authentication for the WLAN "Guest". This WLAN uses the internal web-auth page within the anchor controller and a username/password combo that is locally defined on the anchor controller.
Functionally there is no issue. Users connecting to the WLAN are presented with the web-auth page upon connecting to the WLAN and opening a web browser. The issue is how the layer 3 authentication information is presented on the Monitor Clients page of the "inside" WLC's management screen as compared to the "anchor" WLC.
For example, if we log in to the anchor controller and then click Monitor, then Client, then Change Filter and choose any WLAN requiring layer 3 authentication on the Anchor controller, there will be a list of all clients currently associated. In the Column with the "Auth" heading it shows the Layer 3 Authentication status of the clients. For example, if there are 15 clients associated to WLAN SSID "Guest", but only 5 of them have opened their web browsers and correctly logged in, then this will be correctly displayed. The 5 who have logged in will show "Yes" and the other 10 will show "No" in the Auth column.
Now...the problem...on the inside controllers...if we do the same thing (monitor, clients, filter for WLAN SSID "Guest"), all 15 will show "Yes" under the Auth column. In most cases the 15 clients will be distributed accross both controllers (maybe 6 on one, and 9 on the other WLC), but both inside controllers will display all clients as having a layer 3 authentication status of "Yes". We have proven over and over that this is not accurate. This is very inconvenient because the "Client Count" reports we run on the WCS server reflect the same information as the "inside" controllers. The WSC reports will show all 15 as Authenticated and they are not. We have proven many times that the anchor WLC is the only controller accuratly conveying this info.
Also, the engineers who helped with our network install have reproduced the same behavior in a lab with an anchor and inside controller directly connected. They suggested it may be a code bug with the 4400 series WLC. We are running controller Software Version 6.0.188.0 on all 3 controllers.
Please let me know what you think may be causing this issue. Any help or advice is greatly appreciated!Hi,
We run version 7.0 on the WCS and WLCs but I thought I'd try the report and see what I got. The result is a line graph with the number of associated and authenticated clients superimposed. I'm not sure how useful a report of this nature is.
It doesn't inspire confidence: when I specifiy the guest wireless SSID I get zero clients! I know there have been guest clients authenticated during the report period I spec'd.
Scott -
Enable WebAuth on WLC to intercept https (or https redirection) for authentication
Hi all
My company is using WLC with Guest access feature, and use Layer 3 security authentication to permit only Guests who provided valid user/password to access.
But we met a issue that, when guests connect to Guest SSID successful, on PC they have to open web browser and access to 1 website by http, after that WLC will intercept and redirect to authentication page.
If customer access to https (as google, gmail, ...) WLC cannot intercept and redirect to authentication. Because almost customers access to https://google.com at first by their habit.
On my firewall, I can do intercept by both http and https, so I wonder on WLC I can enable intercepting and redirecting to authentication of https also
If possible, please advice us how to enable this feature.
Regards
Hai Dao TuanThanks all
I also just found a link that mentions about this case clearly and commands to enable it
https://supportforums.cisco.com/document/12398536/understanding-https-redirect-over-web-auth
(WLC)> config wlan security web-auth enable <wlan-id>
(WLC)> config network web-auth https-redirect enable -
WLC web authentication ACL to allow internet surfing only
Hi forumers'
I would like to restrict web authentication user to access to my other network devices. web authentication user only cna goto internet, that's all.
according to my attachment, am i writing the right ACL syntax and apply this at the web authentication interface?
i also try on this ACL at my core switch but seem not success.
ip access-list extended ACL-VLAN-20
permit tcp 172.16.20.0 0.0.0.255 host 1.1.1.1
permit tcp 172.16.20.0 0.0.0.255 host 2.1.1.1
permit tcp 172.16.20.0 0.0.0.255 any eq 80
permit tcp 172.16.20.0 0.0.0.255 any eq 443
deny tcp 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31
deny tcp 172.16.20.0 0.0.0.255 host 172.16.1.100
int vlan 20
ip access-group ACL-VLAN-20 in
any problem with it?
well, as long as can block web authenticaiton user only goto internet then serve my purpose
thanks
NoelThis should work
deny ip 172.16.20.0 0.0.0.255 172.16.1.0 0.0.0.31 (deny all IP traffic from guest to internal)
permit udp 172.16.20.0 0.0.0.255 any eq 53 (or list the specific servers you want them to use)
permit tcp 172.16.20.0 0.0.0.255 any eq 80 (allows HTTP but only outside as the deny stops internal)
permit tcp 172.16.20.0 0.0.0.255 any eq 443 (allows HTTPS but only outside as the deny stops internal)
but you need to add a permit for UDP 53, so that the client can talk to DNS as well, as added above. I also put the deny the access to the internal resources higher in the list, otherwise they are allowed to access your internal HTTP/HTTPS servers. If you want to allow that, it's better to permit the explicit servers
You don't necessarily need to allow the 1.1.1.1 and 2.1.1.1 assuming one these are your virtual interface address
When you do the ACL on the WLC, you need to do the inverse ACL as well. So you need to allow teh 172.16.20.0 and the any to 172.16.20.0
But I'd recommend that you put the ACL on the L3, that way it's easily visible to all the network engineers incase there are issues.
HTH,
Steve -
Hi,
I have a WLC (4404), and it is configured for authentication in ACS.
When I conect in WLC whit browser (HTTPS), I put my username and password from ACS, and it works.
However, if I put the local username in WLC it works.
I would like to disable the username local when ACS works, as I do that?
But when ACS go down a need of the local username...You will not be able to do this like how you can with a router or switch. Locally is checked first prior to tacacs and can't be changed. Maybe speak with you local Cisco wireless SE to see if he can put that as a feature enhancement.
Maybe you are looking for
-
Calculation of output tax A1 in only through Sd but nto through F-22
Hi all, While making posting through SD transaction VA01 by giving output tax code A1,tax is getting calculated but the same tax code A1 when used in TCode F-22 (manual FI posting) tax is not getting calculated even if we check the calculate tax and
-
Files on memory card invisible!
Hai friends, I am using N73 ME with 1 GB memory card. Today when I am trying to save a MP3 file to memory card the phone hang and I restarted it. After that all the folders in the card are doubled except sound and video as cities cities data data doc
-
Setting the color of a node in JTree
Hi all! I'm new to Java and facing a problem with JTrees. I'm using the following snippet to create a JTree : DeafultMutableTreeNode root = new DefaultMutableTeeNode("Letters"); DeafultMutableTreeNode parent1 = new DefaultMutableTeeNode("uppercase");
-
Any way to synchronize without creating file on server
Is there any way to setup Dreamweaver (DW) MX 2004 and 8 so that the Synchronize feature does NOT need to create a file on the server? For my website, I have individual folders under the document root folder that I give write access to various staff
-
Ever since doing a system upgrade and rebooting a few hours ago, my hostname has mysteriously changed at the command prompt. I made no system changes, only did an upgrade and reboot. I've never had this issue before. The prompt should display: user