EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain
Hi,
I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
Can anybody help regarding this issue.
Hi Sandeep,
Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
1. Guest Client go to google.com
2. Client goes to DNS (the one its is assign in DHCP)
3. DNS resolves the DNS for google.com
4. Client then attempts to go to google.com
5. Controller intercepts GET and replaces it with a 1.1.1.1
6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
7. DNS then gets resolve to the name (example guest.xxx.com)
8. Controller presents the guest screen
Hope it helps.
Regards
Dont forget to rate helpful posts
Similar Messages
-
Hello, I´m stucked with this problem for 3 weeks now.
I´m not able to configure the EAP-TLS autentication.
In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
The ISE´s certificate has been issued with the "server Authentication certificate" template.
The clients have installed the certificates also the certificate chain.
When I try to authenticate the wireless clients I allways get the same error: " Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
and "OpenSSLErrorMessage=SSL alert
code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack= 1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
I don´t know what else can I do.
Thank you
JorgeHi Rik,
the Below are the certificate details
ISE Certificate Signed by XX-CA-PROC-06
User PKI Signed by XX-CA-OTHER-08
In ISE certificate Store i have the below certificates
XX-CA-OTHER-08 signed by XX-CA-ROOT-04
XX-CA-PROC-06 signed by XX-CA-ROOT-04
XX-CA-ROOT-04 signed by XX-CA-ROOT-04
ISE certificate signed by XX-CA-PROC-06
I have enabled - 'Trust for client authentication' on all three certificates
this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
when i check the certificates of current user in the Client PC this is how it shows.
XX-CA-ROOT-04 is listed in Trusted root Certification Authority
and XX-CA-PROC-06 and XX-CA-OTHER-08 are in Intermediate Certificate Authorities -
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
Hi guys,
I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificateRefer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf
-
Error: "failed to load book because the requested resource is missing"
I book a book via the iPad. The book appeared in my library no problem with the "new" tag and stuff, but when I tap it to read I get an error "failed to load book because the requested resource is missing." Any ideas? I'm on the road, so I haven't synced or backed up or anything..
I've also verified that I have a good connection, etc. I'm able to hit the "store" button and browse the store no prob, as well as web, etc.
Any thoughts?I believe I may have the answer to these many concerns.
When a book is over 20 or so megs, iBook will sometimes make an attempt to download on the iPad (when it should not). This causes problems. Perhaps the one you are experiencing. Therefore you have to wait until you are on a wifi connection before purchasing dictionary-like books. But if you've already made the mistake of downloading, theres no guarantee wifi will correct this.
What worked for me (like others have already mentioned) is that if you have an iphone or touch you can download it from there, sync with your computer and sync your iPad later. The book(s) will transfer just fine as long as you have this enabled on your devices.
Initially this didn't work for me because in my frustration with a prior issue I took the liberty to create another iTunes account. Therefore iPad purchases were not visible on my phone. So be sure to have the same accounts activated on your devices and iTunes.
Yet even further diagnostics may need to be explored as I'm still prompted to provide my password every time i open iBooks (as if the download is still pending). Kinda afraid to revert to factory settings over a small issue. In the coming update Apple should fix these problems altogether. Hope this helps! -
Hi,
I'm working with Adobe Illustrator CS3 for Mac and suddenly the software started to prompt "The operation cannot complete because of an unknown error. [CANT]". I deleted my prefs and the problem is still present.
Some times the machine freezes after this error.
I'm performing normal operations, nothing that requieres large amounts of memory or so.
The problem only happens in Illustrator.
Any possible solution?
thanks in advance.I have a MacBook Pro 15" 2.2 GHz. My hard drive has 50% of free space (80GB free)
It was defragmented 2 months ago. No reports from SMART or any issues with directory. (tested with Drive Genius and Disk Warrior)
I read in several posts about problem with scratch discs. My system has only one partition.
Hope this info might be helpful. -
SSL (https) set up in ABAP - pop-up Request Client Certificate
Hi,
We just configured SSL in ABAP. Accessing the website that the certificate is assigned to results in a pop-up appearing in IE7 that states:
The website you want to view requests identification. Please choose a certificate, with a blank screen.
Can the server be set so that it does not prompt for the client certificate?
Thanks, NeetaYou will have to check the specific service (probably in SICF) to see if the Logon Procedure is set to 'Required with Client Certificate (SSL).' Is this for a BSP page?
Hope that helps.
J. Haynes -
ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert
Hello,
Has anyone come across this error code before? I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
I setup 7925 phones for EAP-TLS using MIC. I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication". A Certificate Profile is configured matching Common Name and is added to the Identity Sequence. I got some additional attribute information, where there is a error message:
OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
Anyone know what this error means?Yes,
That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
Installing the Authentication Server Root Certificate
The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
To install the certificate, follow these steps:
Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
Step 2 Go to the phone web page and choose Certificates.
Step 3 Click Import next to the Authentication Server Root certificate.
Step 4 Restart the phone.
Thanks,
Tarik Admani
*Please rate helpful posts* -
EAP-TLS PEAP FAIL DURING SSH HANDSHAKE
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected]
= my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
Hope this helps. -
Hi Everyone,
Has anyone else encountered this error when trying to spell check? Is there a way around it?Hey,
I had the same problem any time I tried to open .svg files. I resaved the files as .eps and they opened without issue. -
ISE EAP SSL/TLS Tunneling Certificates
Hi,
I am working on an ISE implementation that is going to perform authentcation accross several domains using LDAP. The domains that I have in my environment are a production and pre-production/testing domains. Currently my ISE appliances are joined to the production AD and are using certificates from the CA in our production AD. The problem I am having is I can only assign one Local Certificate for use for SSL/TLS tunneling for EAP authentcations. This means that when I try and authenticate a device that is not part of the production active directory (pre-production), using the seperate LDAP instance as an identity store, its attempting to create a tunnel using a cert that is not from the pre-production CA, and thus fails with the following error...
Authentication failed :
12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
This is because the device built in pre-production does not have the production CA's as trusted entites. My question is, is it possible to define multiple certificates from seperate CA's for use for SSL/TLS tunneling?
CheersHello,
This error means that the supplicant does not trust the ISE PSN certificate.
Resolution:
Check whether the proper server certificate is installed and configured for EAP
by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ).
Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more
information. -
Hello all,
I'm a beginner in JavaMail, I have several question, can I use following case:
SMTP + TLS + Authentication
SMTP + TLS + without Authentication
SMTP + Authentication + without TLS
and
SMTP + SSL + TLS + Authentication
SMTP + SSL + TLS + without Authentication
SMTP + SSL + Authentication + without TLS
Because I have the following code, it's correctly work for send a mail with returned Transporter, but no with SMTP only, SMTP + SSL, SMTP + SSL + TLS.
I have the following exception for example:
javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Can you give me use properties and means to correctly use SSL and TLS ?
Great thank !
Best regards
Adryen
public static Transport getConnectedTransportForSending(String smtpServer, String username, String password, SmtpServerType protocolSec) throws MessagingException {
Session session = null;
Boolean isWithAuth = (username != null && !username.equals("")) && (password != null && !password.equals(""));
Properties props = new Properties();
String prefixMailSmtp = "mail.smtp";
if (SmtpServerType.SSL.equals(protocolSec)) {
//prefixMailSmtp += "s";
useSSL(props, prefixMailSmtp);
// props.put("mail.transport.protocol", "smtps");
props.put(prefixMailSmtp+".port", "587");
} else if (SmtpServerType.SSLTLS.equals(protocolSec)) {
//prefixMailSmtp += "s";
useSSL(props, prefixMailSmtp);
useTLS(props, prefixMailSmtp);
//props.put("mail.transport.protocol", "smtps");
props.put(prefixMailSmtp+".port", "587");
} else if (SmtpServerType.TLS.equals(protocolSec)) {
useTLS(props, prefixMailSmtp);
//props.put("mail.transport.protocol", "smtp");
props.put(prefixMailSmtp+".port", "25");
} else {
props.put(prefixMailSmtp+".port", "25");
//props.put("mail.transport.protocol", "smtp");
props.put(prefixMailSmtp+".socketFactory.fallback", "false");
if (smtpServer != null) {
props.put(prefixMailSmtp+".host", smtpServer);
if (isWithAuth) {
Authenticator auth = new ServerAuthenticator(username, password);
props.put(prefixMailSmtp+".auth", "true");
session = Session.getInstance(props, auth);
} else {
session = Session.getInstance(props, null);
Transport transporter = session.getTransport("smtp");
transporter.connect(smtpServer, username, password);
return transporter;
private static void useSSL(Properties props, String prefixMailSmtp){
props.put(prefixMailSmtp+".socketFactory.port", "587");
props.put(prefixMailSmtp+".socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.smtp.ssl.enable", "true");
private static void useTLS(Properties props, String prefixMailSmtp){
props.put(prefixMailSmtp+".starttls.enable", "true");
public static class ServerAuthenticator extends Authenticator {
private PasswordAuthentication authentication;
public ServerAuthenticator(String username, String password) {
authentication = new PasswordAuthentication(username, password);
@Override
protected PasswordAuthentication getPasswordAuthentication() {
return authentication;You can simplify your code by getting rid of the socket factory stuff.
If you connect using SSL to begin with, there's no need to use "TLS" (by which I assume you mean the STARTTLS command that switches a plain text connection to an SSL/TLS connection).
And of course whether you're required to use SSL or required to use STARTTLS or required to authenticate depends entirely on the configuration of the mail server. -
"Operation cannot be completed because of an unknown error." [CANT]
This started happening with my Illustrator CC - everytime I start the program, it has the error "OPERATION CANNOT BE COMPLETED BECAUSE OF AN UNKNOWN ERROR. [CANT]"
Anyone else have this same issue?
Have the 2014 Macbook Pro w Retina Display | Yosemite
Any advice is greatly appreciated.
Thanks!Did you migrate the application or do a clean install? The more recent Adobe products don"t do well with migration. Uninstall, run the cleaner tool and reinstall is the usual remedy.
-
2-way SSL and access control using the client certificate
Hi,
I'd like to configure WLS 8.1 so that the server will use the client identity extracted from the client certificate to determine whether permissions should be granted. I am having some problems.
Details: The client can be either a Web service or a web application. The steps for authentication and authorization should be:
- The client sends a request to an Apache server (DMZ) which will then be forwarded to WLS.
- The client's identity, common name from the X.509 certificate, is mapped to the "username" (using WLS default identity assertion provider).
- Validate whether the client should be trusted (via the list in the trusted credentials)
- Check whether the resource should be granted based on the "username".
The on-line manual says
"If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires that the Web browser or Java client have an identity."
"The user corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate must be defined in the server's security realm; otherwise the client will not be allowed to access a protected WebLogic resource. For information on configuring users on the server, see Creating Users in Managing WebLogic Security."
So the questions I have are:
- If the client identity is certificate based, why should we configure users with the "user name" and "password"? How can we get around it?
- Once I defined the security condition for my app to use "user name of the caller," a default username and password prompt automatically popped up.
Apparently, the SSL mutual authentication configuration and the default authentication provider to use the X.509 type didn't take any effect.
- Without defining the security policy for the application, the debugging messages show that
getRoles(): input arguments: subject:0
Entitlement - <Role:Annonymous with expr:Grp(everyone)>
Any suggestions? Thanks.Hi,
I am trying to use 2 way ssl using webservices client , here is my code :
AxisProperties.setProperty("org.apache.axis.components.net.SecureSocketFactory","org.apache.axis.components.net.SunFakeTrustSocketFactory");
SSLAdapterFactory factory = SSLAdapterFactory.getDefaultFactory();
WLSSLAdapter adapter = (WLSSLAdapter) factory.getSSLAdapter();
// clientCredentialFile stores in PEM format the public key and
// all the CAs associated with it + then the private key. All this in // a concatenated manner
FileInputStream clientCredentialFile = new FileInputStream ("C:\\sslcert\\client-pub3.pem");
// private key password
String pwd = "password";
adapter.loadLocalIdentity(clientCredentialFile, pwd.toCharArray());
adapter.setVerbose(true);
adapter.setTrustedCertificatesFile("C:\\certificate\\server\\server.jks");
adapter.setStrictCheckingDefault(false);
factory.setDefaultAdapter(adapter);
factory.setUseDefaultAdapter(true);
boolean idAvailability = false;
UNSLocator locator = new UNSLocator();
URL portAddress = new URL("https://localhost:7002/smuSSWeb/UNSResponse.xml");
UNSPort unsprt = locator.getUNSPort(portAddress);
idAvailability = unsprt.isIDAvailable("Yulin125", "C");
System.out.println("Got from method :"+idAvailability);
After runing this code i am getting the following exception :
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: java.net.SocketException: Software caused connection abort: socket write error
faultActor:
faultNode:
faultDetail:
I am using .pem (clientsigned,clientinter,clientroot, root-key) files for client authentication and i am using server.jks as a keystore for my server authentication.Once i run this code , i am able to present the server certificate chain to the client but i am not able to present the client certificate chain to server.
I am stuck with for quite sometime.
Some insight needed from the guru's -
Hi, experts
I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
94/_wmcs/certification/server.asmx.
+ CategoryInfo : InvalidOperation: (:) [Set-IRMConfiguration], Exception
+ FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
Results : Checking Exchange Server ...
- PASS: Exchange Server is running in Enterprise.
Loading IRM configuration ...
- PASS: IRM configuration loaded successfully.
Retrieving RMS Certification Uri ...
- PASS: RMS Certification Uri: https://server1/_wmcs/certification.
Verifying RMS version for https://server1/_wmcs/certification ...
- WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
or AD RMS on Windows Server 2008 R2.
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
//server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
Request, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
est asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
ct state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
uests)
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
rviceType serviceType)
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
OVERALL RESULT: PASS with warnings on disabled features
From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
On my opinion, I don't think it is the real reason.
So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
System Info:
Windows Server 2008 R2 + Exchange Server 2010 SP3 RTMHi
Please have a try with the solution on this KB article
“Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
http://support.microsoft.com/kb/954584/en-us
Cheers
Zi Feng
TechNet Community Support -
EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.
Hello,
I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
What was done:
- set up freeradius with EAP-TLS configuration, trusting both cisco CA root and manufacturing root.
- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
What I can see while running a wireshark trace on freeradius is:
- both parties negotiate properly that they will engage in EAP-TLS.
- they start the TLS handshake
- Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
- Client (phone) never sends its certificate (MIC) to the server.
- Client restarts EAP-TLS negotiation and goes on and on.
Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
Phone firmware is 9.2(3) and callmanager 8.6
Thanks
Gustavo NovaisFound the problem. Apparently ADU can't access certificate store if client is not part of the AD domain
Maybe you are looking for
-
ICal 2.0.5 and iOS 4.1 vs. MobileMe
I have a PPC iMac G5 running OS 10.4.11 and utilizing iCal 2.0.5. These are the latest versions of the respective software that this computer can run. I recently paid for a family MobileMe account in the hopes of coordinating my calendars and contact
-
IDVD creating disk image larger than it should be.
I exported an iMovie to iDVD and set up the dvd using one of the supplied themes. I checked the disk info to make sure it will fit the DVD-R. The program says my file should be about 3.9 Gigs. The disk burn was incomplete so I tired to create a disk
-
I want to show an alert, then when it times out, display a menu of choices (the "main menu"). Problem is, the alert never displays; the menu immediately pops up so they never get a chance to see the alert message. How do I get the alert to wait it's
-
How to set Statistical wbs element?
hi,everyone. i'm a green hand in PS. i know Statistical wbs element is different from normal wbs element from you guys. but i don't know how to set a Statistical wbs element, i mean how to make a normal wbs element become a Statistical wbs element?
-
How refresh a child level of an hgrid ?
Hello all. I have a screen with an hgrid with 2 levels (father/child). So one VO for each and a VL between the two. This hgrid is populated when the user click on a search button (with parameters...) It Works. When I click on a father, i can create a