EAP-TLS not working

Similar Messages

• EAP-TLS not working on WinXP client, but does work on W2k?

  Hi
  So I've got EAP-TLS setup using a W2K IAS server as RADIUS, W2K certificate server and cisco 1100 APs. I've got computer certs on four notebooks of which 2 are W2k and the other two are XP. On the W2k PCs I am able to pop in my wireless 350 card and get an IP before logging in (as seen via the dhcp server) and then once logged in, the user cert is used to further authenticate and remain connected to the network (as seen via the IAS logs). Yet when I try to pop in my wireless card on the XP PCs, I get no IP address and nothing ever shows up in the IAS logs...the 1100 ap says that its associated but nothing more. Does anyone have any ideas. Thanks
  Jason

  Jason,
  Can you authenticate from the XP clients using LEAP or something other then EAP-TLS?
  If not i would look at upgrading the 350 card drivers on the XP machines to the latest.
  I have had problems before using the cardbus pcmcia adapters on XP, when i installed the latest drivers it worked.
  Let me know how you get on?
  Rgds,
  Paddy

• EAP-TLS not working with IOS 4.1

  Hello,
  I've lot of iPhone in my enterprise,
  I've configured it putting user certificate and authenticate on the wireless network using EAP-TLS mode, choosing user certificate and give the username, and it was working.
  sometime "can't connect to network" append, but after lot of tries, it work.
  when the network is configured, it's working all the time.
  since 4.1.3, I can't configure this network, I can't approve my server radius certificate (so I succeed to authenticate from server)
  I've already tried to put my root CA certificate in iPhone, doesn't change anything (It should be trusted ! all servers certificate are from this CA)
  I've tried to preconfigure this wireless network with iphone configuration utility, not working.
  Iphone 3GS, iphone 4 since IOS 4.1.3

  Here is the dump log obtened via Iphone configuration utility, with certificate deployed but configuration manually
  Oct 14 15:40:41 unknown wifid[29] <Error>: WiFi:[340292441.191866]: Processing link event UP
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]:  lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA2_8021X, key = CIPHER_NONE    , 802.1X .
  Oct 14 15:40:41 unknown kernel[0] <Debug>: [6225.861292541]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0befa00, BSSID = 00:15:70:e6:6d:90, rssi = -41, rate = 54 (100%), channel =  1, encryption = 0x8, ap = 1, failures =   0, age = 9, ssid[11] = "TAO_Employe"
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AirPort: Link Up on en0
  Oct 14 15:40:41 unknown kernel[0] <Debug>: en0: BSSID changed to 00:15:70:e6:6d:90
  Oct 14 15:40:41 unknown eapolclient[410] <Notice>: eaptls_verify_server: server certificate not trusted, status 3 0
  Oct 14 15:40:41 unknown Preferences[101] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
  Oct 14 15:40:41 unknown Preferences[101] <Warning>: -[APOtherNetworkController keyboardWillShow:]
  Oct 14 15:40:42 unknown kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
  Oct 14 15:40:43 unknown Preferences[101] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x278960:<VPNBundleController: 0x278960>): _serviceCount(3), serviceCount(3), toggleInRootMenu(0), RootMenuItem(1)
  Oct 14 15:40:45 unknown wifid[29] <Error>: WiFi:[340292445.893128]: Already associating, will not queue request.
  Oct 14 15:40:46 unknown UserEventAgent[12] <Warning>: Unable to cancel system wake for 2011-10-14 15:40:31 +0200. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
  Oct 14 15:40:51 unknown kernel[0] <Debug>: [6235.874083208]: AppleBCMWLANNetManager::handleDelayedPowerManagementTimeout(): Timed out waiting for IP address, entering powersave mode: 2

• TLS not working with Openssl Certs

  Hi I have been struggleing with a certificate problem for about two weeks now with no joy. Almost all the forums, tutorials and examples etc. I have tried are simply not working. Without fail I get the following exception or similar:
  [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]
  Basically I know I have a valid certificate, because when I use an ldap client with just the self generated cacert.pem there are no problems and a TCP dump shows the encrypted data.
  My setup is as follows I have an openLDAP server running on Debian. I generated my own certificates as per: http://www.openldap.org/faq/data/cache/185.html
  All I want to do now is import these generated certs/keys with keytool, and be able to use theme with TLS.
  When importing the certs via java ldap browsers they work fine, but as soon as I try use my own TLS client like the StartTLS.java sample provided by the java tutorial I get the above exception. I'm probably missing some piece of the puzzle.
  Please if anyone else knows how to set this up correctly using the certs I have generated via the openldap example above I would really appreciate your help. There are alot of examples pertaining to app servers etc. but nothing I could find to talk to OpenLDAP.
  regards
  ed

  On a similar occation i did extend the javax.net.ssl.X509TrustManager and upon generating the connecton I first did initialized the ssl context with that trust manager.
  something like
  SSLContext sslContext = SSLContext.getInstance("SSLv3");
  MyTrustManager tm = new MyTrustManager(....);
  TrustManager tms[] = {tm};
  sslContext.init(null, tms, null);     HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); //or on ur corresponding tls connection classdo that before getting any https connection or alike tls connections
  In case that does not bring you further, post some stack trace and further settings.

• WPA2-Enterprise TLS not working in iOS 5

  We have over 200 iPhone on our Corporate Wi-Fi network. We started having calls from our users saying that their Wi-Fi is not working anymore since they upgraded to iOS 5. It was working fine with previous version of iOS. We are using WPA2-Enterprise with TLS authentication. We were able to reproduce the issue. With my iPad, i'm not able anmore to connect to our corporate wi-fi on both vendor we use (Cisco and Motorola). The SSId was  hidden, we tryed to broadcast it with no change. The only thing both vendor are sharing is the TLS authentication for the WPA2 auth. Can anyone help us ?

  I had to:
  1) connect the Ipad with a cable and enable "synch via wi-fi" option.
  2) eject the ipad
  3) restart the MAC
  attempt synch --- FAILED
  after looking at my set-up the MAC (or PC) must be conneced to the same wireless connection. My router has dual band capability. one connection is 2.4 ghz with one name, and 5 ghz with another name. Even though ALL the computers have same workgroup name, wi-fi synch would not work unless they were all on the same wireless connection (same ssID). go figure. once my mac was connected to the 2.4 Ghz SSID, wi-fi sync worked fine.

• IPAD 802.1x EAP-GTC not working

  I am trying to connect to wifi enterprise 802.1x   rsa 802.11agn (WPA2,AESCCMP,PEAPv1(EAP-GTC)). 
  Our setup
  Trapeze_AP-M522 -> Trapeze_MX200R (7.3.4.4.0) -> Cisco ACS (5.1) -> RSA
  It's working with windows pc and android (phone, tablet)  . When we use EAP-MSCHAPv2 it's working BUT I need 2 factors. 
  We traced the handshake in the cisco ACS, the ipad first try MSCHAPv2 then send another packet not recongnise as a GTC and then failed.
  Any help and / or a sample ICU .mobileconfig would be very apreciated.
  In ICU we select WPA/Enterprise ,  protocol PEAP,  Authentication  Ask for a password with each connection.
  Thanks

  Im having the same issue. Have you been able to resolve it?

• TLS not working

  IMAP communication between a mail server and our Unity Connection 7.x server has stopped working.  The end user stated:
  "The problem we observed from our server, and which is reproducible with the openssl tool, is that the Unity Connection server doesn't respond to a login request performed over STARTTLS. Doing a simple IMAP STARTTLS test results in a hung login attempt and eventual timeout:
  client: # openssl s_client -connect unityservername.domain.com:143 -starttls imap
  server: <valid response>
  client: 0 LOGIN username password
  <no response, timeout"
  On the Unity Connection server I turned on micro traces for IMAP.  In one of the resultant log files, I see this:
  "09/30/2010 08:27:48.687 |3490,ClientSocket-42 10.0.24.181:-28448,,CuImapSvr,11,SSL_accept:error in SSLv3 read client certificate A: [0xFFFFFFFF; --Unknown HRESULT--]|"
  The timestamp on this message corresponded with a failed test attempt.  I've tried restarting the IMAP server service.  No changes were made on the Unity Connection side between the time that this was working and the time is stopped working.
  Any ideas?
  Thanks.

  Here's what the tech on the client-side observed:
  "The problem we observed from Zimbra ZCS, and which is reproducible with the openssl tool, is that the Unity server does not respond to a login request performed over STARTTLS. Doing a simple IMAP STARTTLS test results in a hung login attempt and eventual timeout:
  client: # openssl s_client -connect unityservername.domain.com:143 -starttls imap
  server:
  client: 0 LOGIN username password
  So the way I interpret this (and I could be totally wrong) is that the client makes a IMAP connection over port 143 and either requests TLS or tries TLS if it is offered.  At that point, the login fails. 
  The user tried a test and responded with this:
  "Just did one a couple minutes ago- did SSL on 993 first w/success, then did the unencrypted one on 143 which threw the 'Generic Test Failure'"

• 802.1x PEAPV1 (EAP-GTC) not working on Ipad/Iphone

  I am currently working on deploying 802.1x at a remote location for a University. We use Cisco WCS to query a LDAP server. Apparently the Iphones and Ipads are unable to connect using 802.1x PEAP. We have both PEAPv0(EAP-MSCHAPv2) and PEAPv1(EAP-GTC) turned on but our LDAP server only supports EAP-GTC. Does anyone know which PEAP version the Ipad/Iphone supports??  I have included output from the Iphone Configuration Utility while I tried to connect.
  Fri Sep  2 10:54:50 ********** eapolclient[150] <Notice>: peap_verify_server: server certificate not trusted, status 3 0
  Fri Sep  2 10:54:50 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:] event: 3
  Fri Sep  2 10:54:50 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
  Fri Sep  2 10:54:55 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:] event: 1
  Fri Sep  2 10:54:55 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: EAPOL failure
  THANK YOU!!!

  I am having the same issue..
  Whenever i am trying to connect my iphone to a WPA2-Enterprise network, it by defaults connects through the MSCHAPv2 Auth protocol, whereas my LDAP supports only GTC auth protocol.
  But there is no option to change the encryption type when configuring a WiFi.
  Requesting to please update as to how connect to the WiFi.
  Thanks in Advance.

• H-REAP Local Authentication eap-fast not working

  Hi, I'm using a central Radius Server and have leap and eap-fast working fine, but when the wan link fail(local authentication) the new user that try to conect via leap get authenticated but eap-fast fail.
  any ideas?. Im using wlc 5.01

  If your radius is centrally located and your WAN links goes down, any authentication thats need to go back centrally will fail, unless you have local authentication. Don't know why LEAP would still work if authentication to the radius server has stopped.
  Howerver, if you are using local EAP configured on the WLC, then you still will fail authentication because your wlc is centrally located.

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• Eap-tls wireless machine authentication without AD

  Hi all,
  I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
  I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
  With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
  but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
  My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
  Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
  Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
  Thanks for your help,

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• EAP-TLS auth between 2 1310 bridges

  Hello,
  Am working on getting EAP-TLS auth working between a root and non-root 1310 bridge. I've had success getting LEAP working but EAP-TLS is kicking my butt.
  I have an ACS 4.1 server acting as the Radius server and the auth is failing there with the code "EAP-TLS or PEAP authentication failed during SSL handshake". I think I'm missing something related to the certs but don't know where.
  I can post config snippets if that will help but if someone knows of any examples configuring a 1310 or similar bridge with EAP-TLS that would be fantastic.
  TIA,
  BR

  Hi Bastien,
  it is actually what i did.
  The point here i have 2 CA involved, with no relation between them.
  So I did the operation twice for each CA :
  -> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
  -> I have added the root CA of each CA into the ACS as well.
  The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
  So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
  I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
  Then another conf I do not understand is the option:
  EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
  I do not undestand what does this option stand for ?
  Then I culd see into Cisco do :
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
  Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
  Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
  thx

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• ISE: advising users that only EAP-TLS can be used

  A large school board accepts only EAP-TLS connections.  This requirement is easily dissiminated to teachers, however not to students whose personal devices keep trying to connect using PEAP.   Once users connect with EAP-TLS, they are authenticated on AD.
  1. Could we from the Switch port block PEAP but let EAP-TLS go through? I couldn't find a command for this.
  2. If we can't stop PEAP requests from reaching ISE, could we treat the PEAP connections as CWA, but have a special Authorization Rule that would say if inner tunnel is PEAP then do CWA-nonEAP-TLS web authentication which would be a customized web page that would have a message instructing the students how to use EAP-TLS? would that make sense?
  3. Do you have better suggestion how to either block PEAP before it reaches ISE or a way using ISE to let users know that they must use EAP-TLS, not PEAP if they wish to connect?
  Thanks.
  Cath.

  Hi Tarik,
  Of course, I know about the Allowed Protocol which currently has only Host Lookup and EAP-TLS enabled.  But that technique, of not allowing PEAP in ISE Authentication policies, doesn't stop thousands of students devices from hitting ISE with PEAP traffic.  Students have heard that they are allowed to connect to the school network using dot1x, so they turn it on on their PC without regards of to which EAP flavour they are supposed to use.  Thus, the ISE box getitng hit with PEAP requests which it drops.  The school board would like to deal with that PEAP traffic. 
  To alliviate this problem, of the ISE box getting constantly PEAP traffic from the same device over and over again in the course of a day, I was wondering:
  1. can we stop PEAP traffic before it arrives to ISE?  is there a way for the switch to differentiate that it's a PEAP and not EAP-TLS and to drop it before passing it to ISE? I don't think so.
  2. if the switch can't stop PEAP , how is the best way to have ISE process the PEAP traffic?   because if ISE only reject the PEAP traffic, it is constantly hit back that the same device sending over and over PEAP traffic to ISE. 
  I suggested to the client the two following possible ways:
    a. authorization rule based on Network Access: Tunnel PEAP that provides CWA with customized webpage telling the students to use EAP-TLS and not PEAP (this technique is explained in para 2. of my original posting).
    b. create a blackhole VLAN where the students personal PC that are arriving with PEAP are put.  This VLAN doesn't go anywhere, but at least the PC has stopped hitting ISE with PEAP traffic for a few minutes, until the student decides to restart his/her connection.   
  I also recommended to the client that they have a better technique to inform the students that only EAP-TLS is available, like posters on the wall, blast email, on School FB page, etc .  but information dissimination is not an IT problem, it's a communication problem. 
  Looking forward to your suggestions.