EAP-TLS authentication failed

Similar Messages

• Eap tls authentication fails if bluetooth device connected

  Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
  Has anyone come across this elsewhere?
  Thanks

  I have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.

• EAP TLS authentication failed during SSL handshake

  We see this message, trying to set up EAP TLS. Anyone come across this ?

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• EAP-TLS authentication failure

  We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
  Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
  This situation is as follows:
  WLAN infrastructure with:
  1 x
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  AIR-WLC2112-K9 (IP address = 10.10.10.10)
  8 x
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  AIR-LAP1142N-E-K9
  Data for the WLC:
  Product Version.................................. 6.0.199.4
  RTOS Version..................................... 6.0.199.4
  Bootloader Version.............................. 4.0.191.0
  Emergency Image Version................... 6.0.199.4
  The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
  The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
  The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
  The problem: no wireless client (Windows XP) is able to go past the initial authentication.
  I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
  On the RADIUS side we find these error messages:
  Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
  NAS-IP-Address = 10.10.10.10
  NAS-Identifier = XX-002_WLAN
  Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
  Calling-Station-Identifier = 00-1c-bf-7b-08-xx
  Client-Friendly-Name = xxxxxxx_10.10.10.10
  Client-IP-Address = 10.10.10.10
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 2
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless LAN Access
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 22
  Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
  On the WLC side, the error messages are:
  TRAP log:
  RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
  SYSLOG:
  Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
  Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
  Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
  Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
  Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
  WLC Debug:
  *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
  *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
  *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
  *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
  *Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
  *Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
  *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
  *Jan 07 19:31:42.711:     Callback.....................................0x87e1870
  *Jan 07 19:31:42.712:     protocolType.................................0x00140001
  *Jan 07 19:31:42.712:     proxyState...................................58:94:6B:15:F5:D0-9B:00
  *Jan 07 19:31:42.712:     Packet contains 12 AVPs (not shown)
  *Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
  *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
  *Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
  *Jan 07 19:31:42.788:     structureSize................................145
  *Jan 07 19:31:42.788:     resultCode...................................255
  *Jan 07 19:31:42.788:     protocolUsed.................................0x00000001
  *Jan 07 19:31:42.788:     proxyState...................................58:94:6B:15:F5:D0-9B:00
  *Jan 07 19:31:42.788:     Packet contains 4 AVPs (not shown)
  *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
  *Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
  *Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
  *Jan 07 19:31:42.806:     Callback.....................................0x87e1870
  *Jan 07 19:31:42.806:     protocolType.................................0x00140001
  *Jan 07 19:31:42.807:     proxyState...................................58:94:6B:15:F5:D0-9B:01
  *Jan 07 19:31:42.807:     Packet contains 13 AVPs (not shown)
  *Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
  *Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00                               ..
  *Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
  *Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
  *Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
  *Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
  *Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
  *Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
  Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
  ******************** WIRESHARK CAPTURE ********************
  No.     Time        Source                Destination           Protocol Info
        1 0.000000    10.10.10.10        15.15.15.15           RADIUS   Access-Request(1) (id=125, l=280)
  Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
  Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
  Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
      Version: 4
      Header length: 20 bytes
      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
      Total Length: 308
      Identification: 0x501f (20511)
      Flags: 0x02 (Don't Fragment)
      Fragment offset: 0
      Time to live: 64
      Protocol: UDP (17)
      Header checksum: 0x4aee [correct]
      Source: 10.10.10.10 (10.10.10.10)
      Destination: 15.15.15.15 (15.15.15.15)
  User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
      Source port: filenet-rpc (32769)
      Destination port: radius (1812)
      Length: 288
      Checksum: 0xe8e0 [validation disabled]
          [Good Checksum: False]
          [Bad Checksum: False]
  Radius Protocol
      Code: Access-Request (1)
      Packet identifier: 0x7d (125)
      Length: 280
      Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
      Attribute Value Pairs
          AVP: l=27  t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
          AVP: l=19  t=Calling-Station-Id(31): 00-21-6a-29-80-xx
          AVP: l=27  t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
          AVP: l=6  t=NAS-Port(5): 2
          AVP: l=6  t=NAS-IP-Address(4): 10.10.10.10
          AVP: l=13  t=NAS-Identifier(32): XX-002_WLAN
          AVP: l=12  t=Vendor-Specific(26) v=Airespace(14179)
          AVP: l=6  t=Service-Type(6): Framed(2)
          AVP: l=6  t=Framed-MTU(12): 1300
          AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
          AVP: l=89  t=EAP-Message(79) Last Segment[1]
              EAP fragment
              Extensible Authentication Protocol
                  Code: Response (2)
                  Id: 3
                  Length: 87
                  Type: EAP-TLS [RFC5216] [Aboba] (13)
                  Flags(0x80): Length
                  Length: 77
                  Secure Socket Layer
          AVP: l=25  t=State(24): 1d68036a000001370001828b38990000000318a3088c00
          AVP: l=18  t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
  No.     Time        Source                Destination           Protocol Info
        2 0.060373    15.15.15.15        10.10.10.10          IP       Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
  Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
  Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
  Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
      Version: 4
      Header length: 20 bytes
      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
      Total Length: 44
      Identification: 0x2935 (10549)
      Flags: 0x01 (More Fragments)
      Fragment offset: 0
      Time to live: 122
      Protocol: UDP (17)
      Header checksum: 0x58e0 [correct]
      Source: 15.15.15.15 (15.15.15.15)
      Destination: 10.10.10.10 (10.10.10.10)
      Reassembled IP in frame: 3
  Data (24 bytes)
  0000  07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae   .....i...}.al...
  0010  d0 75 05 c3 56 29 a7 b1                           .u..V)..
  No.     Time        Source                Destination           Protocol Info
        3 0.060671    15.15.15.15        10.10.10.10          RADIUS   Access-challenge(11) (id=125, l=1377)
  Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
  Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
  Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
      Version: 4
      Header length: 20 bytes
      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
      Total Length: 1381
      Identification: 0x2935 (10549)
      Flags: 0x00
      Fragment offset: 24
      Time to live: 122
      Protocol: UDP (17)
      Header checksum: 0x73a4 [correct]
      Source: 15.15.15.15 (15.15.15.15)
      Destination: 10.10.10.10 (10.10.10.10)
      [IP Fragments (1385 bytes): #2(24), #3(1361)]
  User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
      Source port: radius (1812)
      Destination port: filenet-rpc (32769)
      Length: 1385
      Checksum: 0xe8f5 [validation disabled]
          [Good Checksum: False]
          [Bad Checksum: False]
  Radius Protocol
      Code: Access-challenge (11)
      Packet identifier: 0x7d (125)
      Length: 1377
      Authenticator: 6c8300aed07505c35629a7b14de483be
      Attribute Value Pairs
          AVP: l=6  t=Session-Timeout(27): 30
              Session-Timeout: 30
          AVP: l=255  t=EAP-Message(79) Segment[1]
              EAP fragment
          AVP: l=255  t=EAP-Message(79) Segment[2]
              EAP fragment
          AVP: l=255  t=EAP-Message(79) Segment[3]
              EAP fragment
          AVP: l=255  t=EAP-Message(79) Segment[4]
              EAP fragment
          AVP: l=255  t=EAP-Message(79) Segment[5]
              EAP fragment
          AVP: l=33  t=EAP-Message(79) Last Segment[6]
              EAP fragment
              Extensible Authentication Protocol
                  Code: Request (1)
                  Id: 4
                  Length: 1296
                  Type: EAP-TLS [RFC5216] [Aboba] (13)
                  Flags(0xC0): Length More
                  Length: 8184
                  Secure Socket Layer
  [Malformed Packet: SSL]
      [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
          [Message: Malformed Packet (Exception occurred)]
          [Severity level: Error]
          [Group: Malformed]
  ******************** COMMVIEW CAPTURE ******************
  Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
  Ethernet II
      Destination MAC: 1C:DF:0F:55:20:xx
      Source MAC: F8:66:F2:62:63:xx
      Ethertype: 0x0800 (2048) - IP
  IP
      IP version: 0x04 (4)
      Header length: 0x05 (5) - 20 bytes
      Differentiated Services Field: 0x00 (0)
          Differentiated Services Code Point: 000000 - Default
          ECN-ECT: 0
          ECN-CE: 0
      Total length: 0x0135 (309)
      ID: 0x2B26 (11046)
      Flags
          Don't fragment bit: 1 - Don't fragment
          More fragments bit: 0 - Last fragment
      Fragment offset: 0x0000 (0)
      Time to live: 0x40 (64)
      Protocol: 0x11 (17) - UDP
      Checksum: 0x6FE6 (28646) - correct
      Source IP: 161.86.66.49
      Destination IP: 15.15.15.15
      IP Options: None
  UDP
      Source port: 32769
      Destination port: 1812
      Length: 0x0121 (289)
      Checksum: 0x5824 (22564) - correct
  Radius
      Code: 0x01 (1) - Access-Request
      Identifier: 0x8D (141)
      Packet Length: 0x0119 (281)
      Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
      Attributes
          Attribute
              Type: 0x01 (1) - User-Name
              Length: 0x1A (26)
              Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
          Attribute
              Type: 0x1F (31) - Calling-Station-Id
              Length: 0x11 (17)
              Calling id: 58-94-6b-15-5f-xx
          Attribute
              Type: 0x1E (30) - Called-Station-Id
              Length: 0x19 (25)
              Called id: f0-25-72-70-65-c0:WLAN-XX
          Attribute
              Type: 0x05 (5) - NAS-Port
              Length: 0x04 (4)
              Port: 0x00000002 (2)
          Attribute
              Type: 0x04 (4) - NAS-IP-Address
              Length: 0x04 (4)
              Address: 10.10.10.10
          Attribute
              Type: 0x20 (32) - NAS-Identifier
              Length: 0x0B (11)
              NAS identifier: XX-002_WLAN
          Attribute
              Type: 0x1A (26) - Vendor-Specific
              Length: 0x0A (10)
              Vendor id: 0x00003763 (14179)
              Vendor specific:  
          Attribute
              Type: 0x06 (6) - Service-Type
              Length: 0x04 (4)
              Service type: 0x00000002 (2) - Framed
          Attribute
              Type: 0x0C (12) - Framed-MTU
              Length: 0x04 (4)
              Framed MTU: 0x00000514 (1300)
          Attribute
              Type: 0x3D (61) - NAS-Port-Type
              Length: 0x04 (4)
              NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
          Attribute
              Type: 0x4F (79) - EAP-Message
              Length: 0x57 (87)
              EAP-Message
          Attribute
              Type: 0x18 (24) - State
              Length: 0x17 (23)
              State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
          Attribute
              Type: 0x50 (80) - Message-Authenticator
              Length: 0x10 (16)
              Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
  Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
  Ethernet II
      Destination MAC: F8:66:F2:62:63:xx
      Source MAC: 1C:DF:0F:55:20:xx
      Ethertype: 0x0800 (2048) - IP
  IP
      IP version: 0x04 (4)
      Header length: 0x05 (5) - 20 bytes
      Differentiated Services Field: 0x00 (0)
          Differentiated Services Code Point: 000000 - Default
          ECN-ECT: 0
          ECN-CE: 0
      Total length: 0x002C (44)
      ID: 0x4896 (18582)
      Flags
          Don't fragment bit: 0 - May fragment
          More fragments bit: 1 - More fragments
      Fragment offset: 0x0000 (0)
      Time to live: 0x7A (122)
      Protocol: 0x11 (17) - UDP
      Checksum: 0x397F (14719) - correct
      Source IP: 15.15.15.15
      Destination IP: 10.10.10.10
      IP Options: None
  UDP
      Source port: 1812
      Destination port: 32769
      Length: 0x0569 (1385)
      Checksum: 0x2FE4 (12260) - incorrect

  Hi,
  We spent many hours trying to solve this problem.
  Our setup:
  Cisco wireless setup, using windows NPS for 802.1x authentication.
  Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
  Auth was failing with "reason code 22, The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
  It turned out to be a GPO setting on the server, that was enforcing key protection.
  There is this note on the below technet article:
  Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
  http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
  Hopefully this helps someone out, if you have the same annoying error.

• EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication

  Hi All,
  We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
  We have the leap as well as eap-tls in the authentication part.
  We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
  5/3/2011
  23:16:38
  Authen failed
  [email protected]
  EAP-TLS users
  0023.1413.de18
  (Default)
  EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
  21356
  10.121.198.38
  13
  EAP-TLS
  ap-1242b4 
    Bangalore APs
  We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
  Could anyone help me out in this?
  Regards
  Karthik

  Hi,
  Looks like the CA Cert is not installed on the ACS.
  The following link will help you install the CA cert.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
  Also trust the CA certificate in the Edit trust list list.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected]
  = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP/TLS authentication Issue

  I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
  We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
  In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
  I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
  I'm at a bit of a loss as to what to do next.

  Try this link
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

• EAP-TLS authentication with ACS 5.2

  Hi all,
  I have question on EAP-TLS with ACS 5.2.
  If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
  Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
  If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
  And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
  And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
  Hope you guys can help on this. THanks.

  Yes, you can configure:
  machine authentication only
  user authentication only
  Machine and user authentication.
  Machine or user authentication
  So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
  PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
  host/computer.domain
  If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
  Regards,
  Jatin

• ISE - EAP-TLS authentication with multi-tier PKI

  Hi Cisco Support Community,
  and again I'm struggling with my ISE understanding. It's kind of frustrating - daily more and more questions arise :)
  Here's the thing and I hope some of the ISE experts here know the answer:
  I want to authenticate my wired and wireless clients using 802.1X. I'm using a multi-tier PKI (see picture below)
  The ISE uses a certificate from the "Signing CA1" (Chain: Root CA - Signing CA1).
  The clients uses a certificate from the "Signing CA2" (Chain: Root CA - Intermediate CA1 - Signing CA2).
  Do I have to add the complete client certificate chain (Signing CA2, Intermediate CA1, Root CA) to the ISE trusted certificates in order to authenticate the client? Or is it enough for example just to add the root CA or the intermediate CA? I couldn't find any hints in the admin guide (1.3)
  Thanks in advance!

  Hello Johannes-
  You will need to add the root and all/any intermediate certificates in the trusted certificate store of ISE. 
  Thank you for rating helpful posts!

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• EAP-TLS and ACS 5.1 with AD

  Hello,
  I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
  24435  Machine Groups retrieval from Active Directory succeeded
  24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
  24483  Failed to retrieve the machine certificate from Active Directory.
  22049  Binary comparison of certificates failed
  22057  The advanced option that is configured for a failed authentication request is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  12507  EAP-TLS authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  What ist the problem? I can't find documents how to configure this in detail.
  Can some one helf me?
  King regardes
  Torsten

  Hi Torsten,
  The option you are looking for is under system configuration:
  Configuring Local Server Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
  Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
  Configuring CA Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• EAP-TLS error message on ACS server

  Receving this message when client attempts authentication....Any idea or pointers on troubleshooting this?
  "EAP-TLS authentication failed during handshake"

  turn on debugging at the AccessPoint (:eap_diag1_on at 350-Series) or at the ACS (csradius -d -p -z) to get more information
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml
  Verify Certificates and CA at the client and the ACS
  http://www.cisco.com/en/US/products/hw/wireless/ps458/products_white_paper09186a008009256b.shtml

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• N95 8GB won't connect to EAP-TLS secured WLAN

  Hi all,
  Has anyone succeeded in connecting to EAP-TLS secured wifi network? I have an N95 8GB with the latest firmware (updated yesterday) that cannot connect to my office wlan.
  I’ve been reading this forum (and others google found) and here’s what I’ve done:
  * defined an access point with 802.1x security mode and EAP-TLS
  * exported the certificate from my IE, imported it into the phone and selected it in the Personal Certificate filed
  * selected the accompanying rootCA certificate as Authority Certificate (tried leaving it blank as well)
  * tried different Ciphers just in case
  Every connection attempt results in "EAP-TLS authentication failed" and I’m never asked for password.
  I’ve been talking to our admin (I’m afraid he’ll start to hate me before too long ) and found out that after the firmware upgrade and a couple of hours of trying this-or-that I’ve managed to have proper username sent to the server. But the message remains.
  Here’s a part of the event log forwarded to me by the admin (fully qualified username is stripped by him but it seems to be correct):
  Event Type: Warning
  Event Source: IAS
  Event Category: None
  Event ID: 2
  Client-Friendly-Name = wifi2
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 46
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server =
  Policy-Name = wifi
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 22
  Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server
  As far as I can see my nokia cannot use a proper EAP-Type. Does anyone have a clue on what to do?
  George
  P.S. I believe we are using Radius server and a google search for the stated Reason gives a number of Radius-related results, but they describe cases when PC's cannot connect. I can connect to the wlan with my laptop with no prob (but it asks for credentials each time - don't know if it matters).

  Hi
  Even I am facing the same problem.
  However Opera 8.65 is working fine with the said configuration
  -Ramesh V