EAP-TLS auth between 2 1310 bridges

Similar Messages

• EAP/TLS Auth issues

  I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
  We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
  In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
  I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
  I'm at a bit of a loss as to what to do next.

  Hi Rob,
  The error is common for 802.1x.
  You mentioned the problem started when you assigned new IP to the ACS. Have you tried to generate new ACS cert (running on new IP) again and load it to the client?
  *http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K56560228
  *http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
  *http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
  Rgds,
  AK

• WLC Local EAP-TLS auth, certificate ACL feature?

  Hi All,
  I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
  Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
  Thanks in advance.

  Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
  It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• EAP-TLS Error

  Hello.
  I cannot get EAP-TLS auth to work on windows 7 wired setup. I've tested EAP-PEAP on wireless and wired - works fine. Also EAP-TLS for wireless works great. Clients are on same domain as radius (wich is Cisco ISE), we've deployed CA-services on that same domain too and are distributing certificates to clients via GPOs. Authenticators (switchports) are configured correctly, certificates work on EAP-TLS wireless setup, everything seems to be ok, but wired connection still cannot auth and  EAP timeouts.
  Here is the error:
  Logged At: May 14,2013 11:52:12.159 AM
  RADIUS Status: No response received during 120 seconds on last EAP message sent to the client : 5411 No response received during 120 seconds on last EAP message sent to the client

  Have you confirmed that the Supplicant is configured properly for EAP-TLS authentication? I have done this type of deployment many times and haven't had this issue. 
  Thank you for rating helpful posts! 

• WLC 4400: EAP-TLS

  Good day!
  I tried to set up the EAP-TLS according to
  - http://cciew.wordpress.com/2010/06/10/eap-tls-on-the-wlc/
  - http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  - Jeremy video about EAP-TLS
  The main question is about certificates.
  Tell me if I am wrong -  There are two types of certificates that we need to upload to the WLC:
  1) Device certificate - this is quite clear, OpenSSL, Certificate Request and e.t.c.
  2) CA Root certificate - if there is only one CA Root than clear, but if we have the following chain
  Root CA -> Intermediate CA -> WLC
  a) Do we need to upload the whole chain "Root CA -> Intermediate CA" to the WLC ?
  b) If yes, what format is it going to be? maybe smth like this
  ------BEGIN CERTIFICATE------
  *Intermediate CA cert *
  ------END CERTIFICATE--------
  ------BEGIN CERTIFICATE------
  *Root CA cert *
  ------END CERTIFICATE------

  Nicolas, thank you for your reply!
  1)
  I've already seen the article, but now notice some interesting fact:
  "Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
  Regarding this note, do we need to bundle any certificates for EAP-TLS scheme?
  2)
  On the WLC we have an opportunity to download two types of Certificates:
  - Vendor Device Certificate - it is made of CSR request and then uploaded to the WLC in .pem format
  - Vendor CA Certificate - this is more interesting:
    Yesterday I bundled Root and Intermediate CA Certificates in one .pem file, then uploaded it to the WLC as "Vendor CA Certificate" - the result was suсcessful! During the EAP-TLS auth process SSL Handshake completed sucessfully and I connected to my EAP WLAN!
  In the controller Client Properties I saw the EAP TLS>
  Everything seems to be ok, strange...
  May be, the chain of Root and Intermediate CA Certificates is the redundant information, but the scheme seems to be working!

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• EAP-TLS and MS AD auth problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

• User auth fails using 802.1x (EAP-TLS)

  I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.
  Here's what I'm using:
  Smart Cards ->
  Built-in Microsoft XP supplicant ->
  Catalyst 4006 Switch ->
  Cisco Secure ACS 3.3 ->
  Microsoft Active Directory
  After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.
  Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.

  I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.
  In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-)

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• EAP-TLS with Radius Server configuration (1130AG)

  Hi All,
  Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
  My steps for radius:- (i think this part ive actually got ok)
  http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
  Steps for the wirless profile on a win 7 client:- this has me confused all over the place
  http://technet.microsoft.com/en-us/library/dd759246.aspx
  My 1130 Config:-
  [code]
  Current configuration : 3805 bytes
  ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
  ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname WAP1
  aaa new-model
  aaa group server radius RAD_EAP
  server 10.1.1.29 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login EAP_LOGIN group RAD_EAP
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  ip domain name ************
  dot11 syslog
  dot11 ssid TEST
     authentication open eap EAP_LOGIN
     authentication network-eap EAP_LOGIN
     guest-mode
  crypto pki trustpoint TP-self-signed-1829403336
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1829403336
  revocation-check none
  rsakeypair TP-self-signed-1829403336
    quit
  username ***************
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid TEST
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid TEST
  no dfs band block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.1.2.245 255.255.255.0
  ip helper-address 10.1.1.27
  no ip route-cache
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
  radius-server key ************
  bridge 1 route ip
  line con 0
  logging synchronous
  transport preferred ssh
  line vty 0 4
  logging synchronous
  transport input ssh
  sntp server 130.88.212.143
  end
  [/code]
  and my current debug
  [code]
  Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: AAA/BIND(000000
  WAP1#12): Bind i/f
  Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
  WAP1#h method EAP or LEAP
  Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 25 12:01:27.581: EAPOL pak dump tx
  Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01801670:                   0100002B 0101002B          ...+...+
  01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  WAP1#
  01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018016A0: 6F727469 643D30                      ortid=0
  Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  [/code]
  Can anyone point me in the right direction with this?
  i also dont like it that you can attempt to join the network first before failing
  can i have user cert based + psk? and then apply it all by GPO
  Thanks for any help

  ok ive ammdened the wireless profile as suggested
  i already have the root ca and a user certificate installed with matching usernames
  I had already added the radius device to the NPS server and matched the keys to the AP
  now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
  Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
  WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
  Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
  WAP1#lient 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
  Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
  WAP1#_auth_dot1x_start
  Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 29 11:53:14.620: EAPOL pak dump tx
  Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
  01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
  01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
  Jan 29 11:53
  WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
  Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
  WAP1#cator message to client 74de.2b81.56c4
  Jan 29 11:53:14.622: EAPOL pak dump tx
  Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808690:                   0100002B 0101002B          ...+...+
  018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018086C0: 6F727469 643D30                      ortid=0
  Jan 29 11:53:14.623: dot1x-regi

• 'Could not find user' with EAP-TLS in ACS

  Hi all,
  we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
  Sometimes machine authentications fail with following message in AUTH.log:
  AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
  But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
  Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
  Thanks
  Kai

  AUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
  You might need to check the log on AD side to see why it could not find this host.
  Comparing the logs between the working and non-working cases might be helpful.

• WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

  Hello,
  Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
  Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
  Did anyone have similar problems with Windows 8/81?
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
  0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
  *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
  Any hint would be great .... Thank you...

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• Lower than expected 1310 bridge performance

  Hi All,
  We have recently installed an wireless WAN link over 7 km (aproximate 4.5 milles) distance. The towers are sufficent for fresnel and earth bulge and obstacles requirements.
  We have used Cisco Aironet 1310 bridges (one configured as root bridge, the other as non-root bridge). The antennas are 24 dBi from Hyperlink, connected by RP-TNC to N pigtails, also provided by Hyperlink. According the Cisco utilities, the antennas has more than enough gain for the distance, climatic and topographic conditions.
  The alignement of the antennas was made visually (using binoculars) on one side, on the other with precision instruments.
  To select the frequency (the automatic selection works awfuly bad, it establish connection one of three times) we use the Carrier Busy Test on the network interface / Radio 802.11G menu, where we are able to pick the frequency with zero percent (0%) utilization most of the time.
  The problems we experiment are the following:
  - The latency times are very variable. From 1 ms, to 207 ms, to other values. We have used other wireless equipment with more stable performance.
  - There are lost packets frequently, even with the slightest network traffic (2 PC's with terminal service sessions). Supousedly, the link is of 54 Mbps speed, but the quality is very low.
  - At the moment, we are losing connection every couple of minutes. After that the non-root configured bridge stays down and the only way to reestablish connection is by reseting the 1310.
  - I see that the speed changes every time I refresh the IE utility.
  I still havent configured any security, because the awful way the link works.
  What could be the reason for such bad performance?
  Best Regards,
  Igor Sotelo.

  Hi All,
  I have noticed that when the switches have VLAN configured, the latency is very variable. In this particular case, the switches does not have this configuration. I haven't configured VLAN's on the wireless bridges either.
  I will test the link without any switches, it's an good idea. Perhaps there is "something" with the wired network.
  Other than that the specifics are:
  - I have used Belden RG-6 1530A cable that has even higher grade than the Belden 9077 recommended by the manuals.
  - The extension of the cables is around 40 meters (120 foot).
  - We have installed another wireless link in the place, that uses the same frequency, but different polarity. Also we try to separate the channels at least 7 frequencies.
  - The other system is omnidireccional in nature, and it doesn't have excessive gain.
  - On the place where the equipment of both systems coexist, the physical separation between the antennas of the two systems is around 9 foots (3 meters).
  The error messages we get are:
  - On the root bridge:
  Mar 1 00:00:57.238 Information Interface Dot11Radio0, Deauthenticating Station 0017.0ec6.a590 Reason: Previous authentication no longer valid
  Mar 1 00:00:57.237 Warning Packet to client 0017.0ec6.a590 reached max retries, removing the client
  - On the non-root bridge:
  Mar 1 16:19:52.072 Notification Line protocol on Interface Dot11Radio0, changed state to up
  Mar 1 16:19:51.072 Error Interface Dot11Radio0, changed state to up
  Mar 1 16:19:51.071 Warning Interface Dot11Radio0, Associated To AP Central-2 0017.0ec6.a580 [None]
  Mar 1 16:16:00.255 Warning Interface Dot11Radio0, cannot associate: No Response
  Mar 1 16:15:50.397 Notification Line protocol on Interface Dot11Radio0, changed state to down
  Mar 1 16:15:49.398 Error Interface Dot11Radio0, changed state to down
  Mar 1 16:15:49.397 Warning Interface Dot11Radio0, parent lost: Too many retries
  Mar 1 16:14:56.788 Notification Line protocol on Interface Dot11Radio0, changed state to up
  Mar 1 16:14:55.788 Error Interface Dot11Radio0, changed state to up
  Mar 1 16:14:55.788 Warning Interface Dot11Radio0, Associated To AP Central-2 0017.0ec6.a580 [None]
  When we make a reload on any of the bridges the link reestablishes for some time. With this message on the root bridge:
  Mar 1 00:00:44.194 Information Interface Dot11Radio0, Station NONROOTNAME 0017.0ec6.a590 Reassociated KEY_MGMT[NONE]
  Mar 1 00:00:35.456 Notification Line protocol on Interface Dot11Radio0, changed state to up
  I will appreciate any additional help.
  Best Regards,
  Igor Sotelo.

• 1310 Bridge loses connection

  I work at a college campus where we have a couple of 1310 bridges between our main campus and a group of apartment buildings that we own 3 blocks down the road. One 1310 bridge is in our bell tower and the other is in one of the apartments. The other apartments have 1240 AG access points. The problem I am having is that periodically the remote apartments will loose their network connection. Originally I thought it was a problem with the remote bridge because rebooting the bridge at the remote apartment would bring the connection back up. I recently discovered that I could bring the remote location back up by rebooting the bridge in the belltower. At first we could go a couple of weeks before the link would go down now it seems to be happening much more frequently.
  Any help in troubleshooting this would be appreciated.
  Thanks.
  Jeff

  You might want to post carrier busy test results for both ends as well as signal strength readings for both ends. If memory serves you'll need commands like (check my syntax):
  dot11 dot11 0 carrier busy (assuming 802.11g)
  and
  show dot11 ass X.X.X (X.X.X = remote end mac)