EAP-TLS client security policy enforcement question using ISE

Hi Experts ,
I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
I am using EAP-TLS and machine authentication.
In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
I am not sure ... will it get pushed through AD ? how will it happen ?
It would be really helpful if someone could put light on this ..

Hello Vino,
Some answers below :
how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
I hope it helps.

Similar Messages

  • MFE server security policy enforcement on N900

    Is the N900 capable of handling the Exchange servers security policy enforcement as the E-series is?
    Or is there the same problem as with earlier N-series phones?

    Is the N900 capable of handling the Exchange servers security policy enforcement as the E-series is?
    Or is there the same problem as with earlier N-series phones?

  • EAP-TLS & Unknown User Policy

    I setting up an WLC with the client using EAP-TLS (machine authentication only). We are using ACS 3.2 which is part of AD. The problem is that the ACS is being used to authorize users for Internet Access also.
    So if I enable the Unknown User Policy to AD for EAP-TLS machine authentication, this will break what is being done for Internet Access.
    Any ideas that don't include entering every machine and user name in the local database? I was wondering if I could setup a wildcard user of host/* that points to AD.
    Is there a way to make this work without configuring the Unknown user policy to point to AD?
    Thank you!

    Log onto the ACS server itself as the local administrator.
    Browse to the Bin directory in the ACS program directory.
    Run the program there called CSSupport.
    Select "Run Wizard" and click Next.
    Check all the boxes and create the file for last 3 days and clickNext.
    Again click Next.
    Select "Set Diagnostic Log Verbosity to Maximum." and click Next.
    Click Next, then click Finish.
    In an environment where there is more than one global catalog server for the domain, ACS will not search for the secondary" catalog server if the "primary" goes down.
    Condition: ACS is installed on a domain member server.
    Workaround: Re-start csauth.exe.Let me know if restarting CSAuth makes any difference

  • EAP-TLS User and machine authentication question

    Hello,
    i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
    i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
    What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
    thanks in advanced
    alex

    Sounds like you rather want to use PEAP/MSChapV2

  • How to create a custom java client Security Policy File?

    I have a stand-alone java client which invokes a .NET WSE 3.0 enabled web service. The web service SOAP header requires username token to be passed from my java client.
    Could some one kindly provide a sample of a client-side Security Policy File?
    Your help is very much appreciated.
    Mike

    This is still a workaround...
    But if you put checks on all your forms to see if the user has accepted the terms (assumes there is an attribute tracking this) then you can redirect the user to the terms/conditions forms. Still not spoof-proof, but it would be bookmark proof. (and a pain if you have too many forms)

  • Why is the security policy restricting the use of the camera on my phone?

    I started off being able to use my camera. I encrypted the phone but then I decrypted the phone. Now I cannot use the camera on my Samsung Galaxy s5. Please help.

        Oh no GreatApe! I am sorry that you have been having issues with your camera! We want you to be able to snap away and take all the pictures you want! Are you getting an error? Let us know so that we can investigate further!
    ErinW_VZW
    Follow us on Twitter @VZWSupport

  • Will CA cert be pushed along with the sever cert to the client in eap-tls?

    Hi All,
    I'm aware of that in eap-tls, the server-side cert will be pushed to the wireless client. I'm wondering if the CA root cert of the Radius server will be pushed as well. If not, I guess the client must have the CA cert pre-installed. Is there any documentation to describe this?
    Thanks in advance.
    Robert

    Thanks Scott.
    I'm a little bit confused. Based on the following url, somebody said sever will send the server cert and the CA. Can you show me the documentation that can explain in detail.
    http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients
    When the server sends a certificate, it actually sends a certificate chain,  including the CA which issued it, and the CA above it, and so on, up to  the root (the root itself may be sent, but this is optional).

  • Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

    Hi All,
    I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
    Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
    For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
    I confront PEAP and Eap-TLS for now:
    1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
    2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
    so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
    If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
    I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
    I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
    can you help me to know if I understood everything good ? I would be please to exchange experience on that
    thanks ;)
    bye

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • EAP-TLS and ISE 1.1 with AD certificates

    Hello,
    I am trying to configure EAP-TLS authentication with AD certificates.
    All ISE servers are joined to AD
    I have the root certificate from the CA to Activie Directory installed on the ISE servers
    I created the certificate authentication profile using the root certificate
    I have PEAP\EAP-TLS enabled as my allowed protocol
    I am getting the following error for authentication:
    "11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12301  Extracted EAP-Response/NAK requesting to use PEAP instead
    12300  Prepared EAP-Request proposing PEAP with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version 0
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12814  Prepared TLS Alert message
    12817  TLS handshake failed
    12309  PEAP handshake failed"
    I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
    Any other issues I am missing?
    Thanks,
    Michael Wynston
    Senior Solutions Architect
    CCIE# 5449
    Email: [email protected]
    Phone: (212)401-5059
    Cell: (908)413-5813
    AOL IM: cw2kman
    E-Plus
    http://www.eplus.com

    Please review the below link which might be helpful :
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

  • EAP-TLS with windows machine

    I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
    I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
    Just list of RDS.log appears some activity ended with
    NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
    If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
    Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
    Please let attentions to Attachments and let me know
    what could be a problem of my unsuccessness of use EAP-TLS.
    configuration of interface which I use for testing:
    interface GigabitEthernet0/42
    description Test 802.1X klient - Filip
    switchport access vlan 34
    switchport mode access
    switchport voice vlan 31
    authentication host-mode multi-domain
    authentication open
    authentication port-control auto
    authentication periodic
    authentication violation protect
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    end

    Hi Filip,
    Just noticed your post...
    In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
    Microsoft has done some changes in SP 3 for wired 802.1x
    Changes to the 802.1X-based wired network connection settings in Windows XP
    Service Pack 3
    http://support.microsoft.com/kb/949984/
    In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
    * The WZCSVC service
    * The Wired AutoConfig service (DOT3SVC)
    As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
    If you are an end-user who has already installed Windows XP SP3, follow
    these steps:
    1. Click Start, and then click Run.
    2. In the Open box, type services.msc, and then press ENTER.
    3. Locate the Wired AutoConfig service, right-click it, and then click
    Start
    Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
    CERTIFICATE REQUIREMENT IN EAP-TLS:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
    ACS CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
    MICROSOFT XP CLIENT CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
    As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
    Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
    Also, let me know the full ACS version and platform.
    HTH
    JK
    Do rate helpful posts-

  • EAP-TLS on ACS v4 for wireless users

    Hi,
    I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
    As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
    Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
    Regards,
    Belal

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • Cisco ISE - eap-peap and eap-tls

    Hi,
    Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
    I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
    If peap use this identity source, if tls use 'this certificate authentication profile'.
    Thx

    OK,
    so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
    The authentication policy was allowing EAP-TLS & EAP-PEAP.
    I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
    What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
    In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
    When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
    Hope that helps.
    Mario

  • EAP/TLS on PPC2002&WinCE3.0.11171

    Hi
    I'm trying to configure EAP-TLS on Pocket2002 , I installed the necessary Cisco software and it's working fine but I have a great problem. Windows CE only lets me to install certificates with .cer extension . But with this format I can't export the private key . Is there any solution? Anybody has found this problem?
    Thanks for your help

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • ThinkVantage Client Securit / Fingerprint sensor and Windows 7

    hi all
    after upgrading to WIN7 everything is working fine , the only thing i realy miss is the
    ThinkVantage Client Security, i just cant use the "Fingerprint sensor" and i cant find the a driver for WIN7. can anyone help plz ?
    Elias

    Nope .. not yet . i tried many things and nothing works yet ..
    And I must say .. I really miss it .
    But win7 works very nice on this laptop so I can’t complain a lot
    Regards

  • Trying to implement EAP/TLS using java (as part of RADIUS server)

    Hi
    This is a cross port since I didn't know which forum to post in!
    I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
              KeyStore ksKeys = KeyStore.getInstance("JKS");
                ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
                KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
                kmf.init(ksKeys, passphrase);
                KeyStore ksTrust = KeyStore.getInstance("JKS");
                ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                tmf.init(ksKeys);
                sslContext = SSLContext.getInstance("TLS");
                sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
                sslEngine = sslContext.createSSLEngine();
                sslEngine.setUseClientMode(false);
                sslEngine.setNeedClientAuth(true);
                sslEngine.setWantClientAuth(true);
                sslEngine.setEnableSessionCreation(true);
                appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
                appBuffer.clear();
                netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
                netBuffer.clear();All I want to do with TLS is a handshake.
    I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
           SSLEngineResult result = null;
            SSLEngineResult.HandshakeStatus hsStatus = null;
            if( internalState != EAPTLSState.Handshaking ) {
                if( internalState == EAPTLSState.None ) {
                    TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                    peerIdentity = tlsPacket.getData();
                    internalState = EAPTLSState.Starting;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
                    return;
                else if(internalState == EAPTLSState.Starting ) {
                    internalState = EAPTLSState.Handshaking;
                    try {
                        sslEngine.beginHandshake();
                    } catch (SSLException e) {
                        e.printStackTrace();
            TLSPacket tlsPacket = new TLSPacket( packet.getData() );
            netBuffer.put( tlsPacket.getData() );
            netBuffer.flip();
            while(true) {
                hsStatus = sslEngine.getHandshakeStatus();
                if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                    Runnable task;
                    while((task=sslEngine.getDelegatedTask()) != null) {
                        new Thread(task).start();
                else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                    try {
                        result = sslEngine.unwrap( netBuffer, appBuffer );
                    } catch (SSLException e) {
                        e.printStackTrace();
                else {
                    return;
            }When I try to send data I use the following code:
               SSLEngineResult.HandshakeStatus hsStatus = null;
                SSLEngineResult result = null;
    //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
                netBuffer.clear();
                while(true) {
                    hsStatus = sslEngine.getHandshakeStatus();
                    if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                        Runnable task;
                        while((task=sslEngine.getDelegatedTask()) != null) {
                            new Thread(task).start();
                    else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                        try {
                            result = sslEngine.wrap( dummyBuffer, netBuffer );
                        } catch (SSLException e) {
                            e.printStackTrace();
                    else {
                        if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                            int size = Math.min(result.bytesProduced(),this.MTU);
                            byte [] tlsData = new byte[size];
                            netBuffer.flip();
                            netBuffer.get(tlsData,0,size);
                            TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                            if( size < result.bytesProduced() ) {
                                tlsPacket.setFlag(TLSFlag.MoreFragments);
                            return new EAPTLSRequestPacket( ID,
                                    (short)(tlsPacket.getData().length + 6),
                                    stateMachine.getCurrentMethod(), tlsPacket );
                        else {
                            return null;
                    }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
    Any help wold be most greatfull, if any questions or anything unclear plz let me know.
    add some additional information here is a debug output
    Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
    [Raw read]: length = 5
    0000: 16 03 01 00 41 ....A
    [Raw read]: length = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-2, READ: TLSv1 Handshake, length = 65
    *** ClientHello, TLSv1
    RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
    1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
    50, 201 }
    Session ID: {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
    _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
    SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
    PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
    S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
    Compression Methods: { 0 }
    [read] MD5 and SHA1 hashes: len = 65
    0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
    0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
    0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
    0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
    0040: 00 .
    Thread-5, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
    Thread-5, WRITE: TLSv1 Alert, length = 2
    Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
    ception: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
    92)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
    mpl.java:459)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
    pl.java:1054)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
    26)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
    at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
    va:153)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
    eMachine.java:358)
    at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
    ava:262)
    at java.lang.Thread.run(Thread.java:595)
    Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
    352)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
    rHandshaker.java:638)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
    haker.java:450)
    at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
    ndshaker.java:178)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
    95)
    at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
    java:930)
    ... 1 more

    I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

Maybe you are looking for

  • An error occurred in the persistence; contact your system administrator

    HI,   when i am going to create user in user administration , it showing this error message      An error occurred in the persistence; contact your system administrator. Post installtion steps i mean visual j2ee admin tool , sld  i configured. every

  • Importing partitioned table data into non-partitioned table

    Hi Friends, SOURCE SERVER OS:Linux Database Version:10.2.0.2.0 i have exported one partition of my partitioned table like below.. expdp system/manager DIRECTORY=DIR4 DUMPFILE=mapping.dmp LOGFILE=mapping_exp.log TABLES=MAPPING.MAPPING:DATASET_NAPTARGE

  • User I/O Problems

    Hello! I'm new to Java, but I've been usign C++ for a good long while now. Anyway. I'm writing a program for a professor that Asks the user for a letter and outputs the corresponding number on the telephone. This is to be nested inside a while-loop t

  • IBook G4 4months old and the Disk if Fullq

    Can someone help me? I have a brand new iBook G4, it's now four months old and the disk is full. When I 'Get Info' on my Start up it says 37.14G used and 10.7 available....! When I go to Home 21.6G's used...doh! I know most of this is my itunes....17

  • When trying to download itunes error message HRESULT:0X80070308

    I am trying to download itunes on to my acer computer, so that I can set up an ipad mini that I bought from a friend.  I receive an error message HRESULT:0x80070308.