EAP/TLS authentication Issue
I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
I'm at a bit of a loss as to what to do next.
Try this link
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
Similar Messages
-
Eap tls authentication fails if bluetooth device connected
Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
Has anyone come across this elsewhere?
ThanksI have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.
-
EAP TLS authentication failed during SSL handshake
We see this message, trying to set up EAP TLS. Anyone come across this ?
I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
Hope this helps. -
EAP-TLS authentication failure
We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711: Callback.....................................0x87e1870
*Jan 07 19:31:42.712: protocolType.................................0x00140001
*Jan 07 19:31:42.712: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712: Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788: structureSize................................145
*Jan 07 19:31:42.788: resultCode...................................255
*Jan 07 19:31:42.788: protocolUsed.................................0x00000001
*Jan 07 19:31:42.788: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788: Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806: Callback.....................................0x87e1870
*Jan 07 19:31:42.806: protocolType.................................0x00140001
*Jan 07 19:31:42.807: proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807: Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00 ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No. Time Source Destination Protocol Info
1 0.000000 10.10.10.10 15.15.15.15 RADIUS Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 308
Identification: 0x501f (20511)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4aee [correct]
Source: 10.10.10.10 (10.10.10.10)
Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
Source port: filenet-rpc (32769)
Destination port: radius (1812)
Length: 288
Checksum: 0xe8e0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x7d (125)
Length: 280
Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
Attribute Value Pairs
AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
AVP: l=6 t=NAS-Port(5): 2
AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=6 t=Framed-MTU(12): 1300
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=89 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 87
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0x80): Length
Length: 77
Secure Socket Layer
AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No. Time Source Destination Protocol Info
2 0.060373 15.15.15.15 10.10.10.10 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x2935 (10549)
Flags: 0x01 (More Fragments)
Fragment offset: 0
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x58e0 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1 .u..V)..
No. Time Source Destination Protocol Info
3 0.060671 15.15.15.15 10.10.10.10 RADIUS Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1381
Identification: 0x2935 (10549)
Flags: 0x00
Fragment offset: 24
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x73a4 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
[IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
Source port: radius (1812)
Destination port: filenet-rpc (32769)
Length: 1385
Checksum: 0xe8f5 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x7d (125)
Length: 1377
Authenticator: 6c8300aed07505c35629a7b14de483be
Attribute Value Pairs
AVP: l=6 t=Session-Timeout(27): 30
Session-Timeout: 30
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[5]
EAP fragment
AVP: l=33 t=EAP-Message(79) Last Segment[6]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1296
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0xC0): Length More
Length: 8184
Secure Socket Layer
[Malformed Packet: SSL]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
Destination MAC: 1C:DF:0F:55:20:xx
Source MAC: F8:66:F2:62:63:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x0135 (309)
ID: 0x2B26 (11046)
Flags
Don't fragment bit: 1 - Don't fragment
More fragments bit: 0 - Last fragment
Fragment offset: 0x0000 (0)
Time to live: 0x40 (64)
Protocol: 0x11 (17) - UDP
Checksum: 0x6FE6 (28646) - correct
Source IP: 161.86.66.49
Destination IP: 15.15.15.15
IP Options: None
UDP
Source port: 32769
Destination port: 1812
Length: 0x0121 (289)
Checksum: 0x5824 (22564) - correct
Radius
Code: 0x01 (1) - Access-Request
Identifier: 0x8D (141)
Packet Length: 0x0119 (281)
Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
Attributes
Attribute
Type: 0x01 (1) - User-Name
Length: 0x1A (26)
Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
Attribute
Type: 0x1F (31) - Calling-Station-Id
Length: 0x11 (17)
Calling id: 58-94-6b-15-5f-xx
Attribute
Type: 0x1E (30) - Called-Station-Id
Length: 0x19 (25)
Called id: f0-25-72-70-65-c0:WLAN-XX
Attribute
Type: 0x05 (5) - NAS-Port
Length: 0x04 (4)
Port: 0x00000002 (2)
Attribute
Type: 0x04 (4) - NAS-IP-Address
Length: 0x04 (4)
Address: 10.10.10.10
Attribute
Type: 0x20 (32) - NAS-Identifier
Length: 0x0B (11)
NAS identifier: XX-002_WLAN
Attribute
Type: 0x1A (26) - Vendor-Specific
Length: 0x0A (10)
Vendor id: 0x00003763 (14179)
Vendor specific:
Attribute
Type: 0x06 (6) - Service-Type
Length: 0x04 (4)
Service type: 0x00000002 (2) - Framed
Attribute
Type: 0x0C (12) - Framed-MTU
Length: 0x04 (4)
Framed MTU: 0x00000514 (1300)
Attribute
Type: 0x3D (61) - NAS-Port-Type
Length: 0x04 (4)
NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
Attribute
Type: 0x4F (79) - EAP-Message
Length: 0x57 (87)
EAP-Message
Attribute
Type: 0x18 (24) - State
Length: 0x17 (23)
State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
Attribute
Type: 0x50 (80) - Message-Authenticator
Length: 0x10 (16)
Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
Destination MAC: F8:66:F2:62:63:xx
Source MAC: 1C:DF:0F:55:20:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x002C (44)
ID: 0x4896 (18582)
Flags
Don't fragment bit: 0 - May fragment
More fragments bit: 1 - More fragments
Fragment offset: 0x0000 (0)
Time to live: 0x7A (122)
Protocol: 0x11 (17) - UDP
Checksum: 0x397F (14719) - correct
Source IP: 15.15.15.15
Destination IP: 10.10.10.10
IP Options: None
UDP
Source port: 1812
Destination port: 32769
Length: 0x0569 (1385)
Checksum: 0x2FE4 (12260) - incorrectHi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error. -
EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication
Hi All,
We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
We have the leap as well as eap-tls in the authentication part.
We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
5/3/2011
23:16:38
Authen failed
[email protected]
EAP-TLS users
0023.1413.de18
(Default)
EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
21356
10.121.198.38
13
EAP-TLS
ap-1242b4
Bangalore APs
We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
Could anyone help me out in this?
Regards
KarthikHi,
Looks like the CA Cert is not installed on the ACS.
The following link will help you install the CA cert.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
Also trust the CA certificate in the Edit trust list list.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts. -
Hi ,
I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
Many thanksHi,
unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
I have see the following messages in EAPOL.log
(Win XP Prof. with SP1)
[1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
[1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
Please, could you tell me your workaround?
Thanks in advance. -
I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
I'm at a bit of a loss as to what to do next.Hi Rob,
The error is common for 802.1x.
You mentioned the problem started when you assigned new IP to the ACS. Have you tried to generate new ACS cert (running on new IP) again and load it to the client?
*http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K56560228
*http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
*http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
Rgds,
AK -
EAP-TLS authentication with ACS 5.2
Hi all,
I have question on EAP-TLS with ACS 5.2.
If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
Hope you guys can help on this. THanks.Yes, you can configure:
machine authentication only
user authentication only
Machine and user authentication.
Machine or user authentication
So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
host/computer.domain
If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
Regards,
Jatin -
I have recently purchased the E71 and am trying to connect to my WLan at work. It uses 802.1x authentication and I have now installed the correct security certificate. It seems that no matter what EAP plugin I use, TLS TTLS PEAP FAST etc I get an authentication error. There are a whole lot of settings that I don't understand. Can anyone walk me through the setup who has been there before.
Much appreciated
ian S
Christchurch, NZI had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
Hope this helps. -
802.1X EAP-PEAP Authentication issue
Hi Experts,
I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
The networks in question are set up identically, here is an overview:
Layer 2 security is WPA & WPA2
WPA - TKIP
WPA2 - AES
Auth Key Management is 802.1X
Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
This is the only change I can think of that could possibly be relevant.
Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
Debugs as follows:
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
*Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
*Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
*Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
*Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
*Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
*Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
*Oct 11 16:13:01.113: New PMKID: (16)
*Oct 11 16:13:01.113: [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
*Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.116: Including PMKID in M1 (16)
*Oct 11 16:13:01.116: [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
*Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
*Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo F
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP requested ip: 172.23.26.53
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2 VLAN: 110
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP requested ip: 172.23.26.53
*Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo Frames = N
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
*Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP xid: 0x53839a5f (1401133663), secs: 0, flags: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP ciaddr: 0.0.0.0, yiaddr: 172.23.26.53
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP server id: 1.1.1.1 rcvd server id: 172.19.0.50
*Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
*Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
At this point, the client is connected and everything is working.Hi,
It looks like some issue on the client side...
Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
Looking at the logs:
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
===================
This logs show exactly what you describe...
The AAA sends an EAP request asking for the credentials.
The login pops up and the EAP timeout starts decrementing.
If the user does not enter credentials, it will expire and another EAP Request is sent.
If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
HTH,
Tiago -
ISE - EAP-TLS authentication with multi-tier PKI
Hi Cisco Support Community,
and again I'm struggling with my ISE understanding. It's kind of frustrating - daily more and more questions arise :)
Here's the thing and I hope some of the ISE experts here know the answer:
I want to authenticate my wired and wireless clients using 802.1X. I'm using a multi-tier PKI (see picture below)
The ISE uses a certificate from the "Signing CA1" (Chain: Root CA - Signing CA1).
The clients uses a certificate from the "Signing CA2" (Chain: Root CA - Intermediate CA1 - Signing CA2).
Do I have to add the complete client certificate chain (Signing CA2, Intermediate CA1, Root CA) to the ISE trusted certificates in order to authenticate the client? Or is it enough for example just to add the root CA or the intermediate CA? I couldn't find any hints in the admin guide (1.3)
Thanks in advance!Hello Johannes-
You will need to add the root and all/any intermediate certificates in the trusted certificate store of ISE.
Thank you for rating helpful posts! -
802.1x eap-tls machine + user authentication (wired)
Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
<key>PayloadScope</key>
<string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
ThanksUnfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ? -
Hi,
we have an issue with eap-tls authentication with SAN (Subject Alternate Name). The authentication uses the CN instead of SAN.
Our enviroment is so build:
1 LWAPP Cisco AP
1 WLC & 1 WCS
1 ACS (4.2.(1) Build 15 Patch 3)
1 CA (Certification Authority enTrust)
1 Windows 8.1 Client
The ACS global authentication configuration is attacched to the discussion.
The ACS certification is loaded correctly and the CA is trusted.
On the client the user certificate is correctly loaded.
In the Failed Attempts I can found in the username field the CN of user's certificate but i cannot see the SAN.
Thanks in advanceIt should not happen, Please check the error codes from here
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3/troubleshooting/guide/ecodes.html -
ACS 5.3, EAP-TLS Machine Authentication with Active Directory
I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess" -
ISE 802.1x EAP-TLS machine and smart card authentication
I suspect I know the answer to this, but thought that I would throw it out there anway...
With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card authentication simultaneously for wired/wireless clients (specifically Windows 7/8, but Linux or OSX would also be good). I can find plenty of information regarding 802.1x machine authentication (EAP-TLS) and user password authentication (PEAP), but none about dual EAP-TLS authentication using certificates for machines and users at the same time. I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end. For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other. Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.Hope this video link will help you
http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls
Maybe you are looking for
-
Unable to run a report as an Applet Getting error
Crystal Report Server 8.5 version using "JavaPluginViewer.asp" from ASP file. Here is the log on Java Console. Java Plug-in 1.6.0_16 Using JRE version 1.6.0_16-b01 Java HotSpot(TM) Client VM User home directory = C:\Users\xxxxxxx network: Loading
-
I can't safe reboot if I choose my user account, no problem with the rest or user's accounts
Hi to all, Since I've installed ML and also after 10.8.1 upgrade, my account is behaving very strangely. It does seem to work, but every time I restart in my account, it takes ages and starts up app I've already closed (as if it was frozen when resta
-
How to Use Exec function in Java Code
How to Use Exec method I want to Execute command net Start "some service" using exec method of runtime class or i use some other way if suggest
-
Apple TV2 - rental system "needs improvement"
Hi...I own an iPod Nano, an iPod Touch, two iPhones, an iPad, and two Apple TVs (one new#1, one old-the big first one) -- not to mention four Apple Towers and a laptop. Suffice it to say.. I support Apple; I love Apple. Go Apple! But the Apple TV2 le
-
My back arrow on the task bar went away. How can I get it back?
I think I did some kind of keystroke thing. "remove item" came up when I was trying to back to a previous screen of pictures. I do not think I accepted the command as I was surprised to see it. How can I get the "back" arrow back? Craig