EAP-TLS on WLC 5508 agains IAS RADIUS

Similar Messages

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• LEAP EAP-TLS on WLC

  Hi,
    I need to deploy certificate based authentication for some Intermec client devices for a customer. I am planning to use a separate SSID for this. There are other already existing SSID's which have radius based authentication.
  question : if i dont select any radius server for this eap tls ssid and select only 'LEAP' , will it work ? Or will the WLC still search for the already defined radius servers and fail authentication ?
  question2 : if above is not possible, i will have to go for eap tls with ACS . anybody has got easy steps to get eap tls up and running ? (LAP 1252, wlc 4400, acs 4.1, windows CA )
  regards
  Joe

  wireless wlc,
  The WLC side and the radius side is basically setup the same as you would for PEAP.  The only difference is if your policy you create in the radius specifies a certain eap type.  If not, then you don't have to worry about that.  The main thing is that you have a valid computer cert and users cert.  You can verify this by the device wireless profile and on Windows 7 you select user authentication or computer authentication.  If one works and the other doesn't, then you knop which cert is missing.  Selecting user and computer will check for both.  Vlaidat server certificate should only be cheked if the CA is in the Trusted Server Certificate Store.  The CA must be trusted on the domain controller and the IAS, NPS server also.

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• Trying to implement EAP/TLS using java (as part of RADIUS server)

  Hi
  This is a cross port since I didn't know which forum to post in!
  I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
            KeyStore ksKeys = KeyStore.getInstance("JKS");
              ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
              KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              kmf.init(ksKeys, passphrase);
              KeyStore ksTrust = KeyStore.getInstance("JKS");
              ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
              TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
              tmf.init(ksKeys);
              sslContext = SSLContext.getInstance("TLS");
              sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
              sslEngine = sslContext.createSSLEngine();
              sslEngine.setUseClientMode(false);
              sslEngine.setNeedClientAuth(true);
              sslEngine.setWantClientAuth(true);
              sslEngine.setEnableSessionCreation(true);
              appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
              appBuffer.clear();
              netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
              netBuffer.clear();All I want to do with TLS is a handshake.
  I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
         SSLEngineResult result = null;
          SSLEngineResult.HandshakeStatus hsStatus = null;
          if( internalState != EAPTLSState.Handshaking ) {
              if( internalState == EAPTLSState.None ) {
                  TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                  peerIdentity = tlsPacket.getData();
                  internalState = EAPTLSState.Starting;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
                  return;
              else if(internalState == EAPTLSState.Starting ) {
                  internalState = EAPTLSState.Handshaking;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
          TLSPacket tlsPacket = new TLSPacket( packet.getData() );
          netBuffer.put( tlsPacket.getData() );
          netBuffer.flip();
          while(true) {
              hsStatus = sslEngine.getHandshakeStatus();
              if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                  Runnable task;
                  while((task=sslEngine.getDelegatedTask()) != null) {
                      new Thread(task).start();
              else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                  try {
                      result = sslEngine.unwrap( netBuffer, appBuffer );
                  } catch (SSLException e) {
                      e.printStackTrace();
              else {
                  return;
          }When I try to send data I use the following code:
             SSLEngineResult.HandshakeStatus hsStatus = null;
              SSLEngineResult result = null;
  //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
              netBuffer.clear();
              while(true) {
                  hsStatus = sslEngine.getHandshakeStatus();
                  if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                      Runnable task;
                      while((task=sslEngine.getDelegatedTask()) != null) {
                          new Thread(task).start();
                  else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                      try {
                          result = sslEngine.wrap( dummyBuffer, netBuffer );
                      } catch (SSLException e) {
                          e.printStackTrace();
                  else {
                      if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                          int size = Math.min(result.bytesProduced(),this.MTU);
                          byte [] tlsData = new byte[size];
                          netBuffer.flip();
                          netBuffer.get(tlsData,0,size);
                          TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                          if( size < result.bytesProduced() ) {
                              tlsPacket.setFlag(TLSFlag.MoreFragments);
                          return new EAPTLSRequestPacket( ID,
                                  (short)(tlsPacket.getData().length + 6),
                                  stateMachine.getCurrentMethod(), tlsPacket );
                      else {
                          return null;
                  }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
  Any help wold be most greatfull, if any questions or anything unclear plz let me know.
  add some additional information here is a debug output
  Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
  [Raw read]: length = 5
  0000: 16 03 01 00 41 ....A
  [Raw read]: length = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-2, READ: TLSv1 Handshake, length = 65
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
  1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
  50, 201 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
  _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
  PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
  S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
  Compression Methods: { 0 }
  [read] MD5 and SHA1 hashes: len = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-5, fatal error: 40: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
  Thread-5, WRITE: TLSv1 Alert, length = 2
  Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
  ception: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
  92)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
  mpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
  pl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
  26)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
  va:153)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
  eMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
  ava:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
  352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
  rHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
  haker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
  ndshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
  95)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
  java:930)
  ... 1 more

  I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

• IPhone and EAP-TLS with ACS & 5508

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I have a large customer that is moving into a new building and adding some
  new wireless.
  They are using a 5508 with 1142's and an ACS server.
  They will have the following SSID's
  SSID01 -> WPA-EAP-TLS
  SSID02 -> WPA2-EAP-TLS (future use)
  SSID03 -> Guest Access (internet access only)
  They currently use this design across the enterprise which has worked well.
  The problem is to get certificates pushed down to the client for the EAP-TLS
  they always connect the machine once by wire and log on to the domain so a
  GPO pushes the cert to the machine.
  This creates a problem that I don't know how to solve as they want to use
  iPhones on the new deployment.
  Does anyone have any ideas on how to get a cert down to the iPhones for use
  with the SSID's?
  Thanks in advance for any assistance.

  I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid  from which clients can download and install cert. ?

• WLC 5508 and Microsoft Radius Server 2008

  Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
  I have couple of questions:
  1, Does WLC 5508 support MS NPS on Server 2008 R2?
  2, Are there any good document showing how to configure this?
  Thanks

  Hadisharifi,
  There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS  and WLC side configuration:
  Configure the WLC for RADIUS Authentication through an External RADIUS Server
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
  Fo the NPS side configuration, you may consider the attached document.
  Regds,
  JK
  Do rate helpful posts-

• ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently

  I'm getting this error in ISE referring to my Cisco 5508 WLC.  I'm not sure how to turn down the frequency.  Any ideas?
  NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues.

  I opened up a TAC case with Cisco yesterday and this is the response i got from them:
  There is bug on the WLC side to reduce the number acct updates:
  CSCug14713- WLC sends acct-update twice in the same millisecond
  This is fixed in 8.x on the WLC.
  So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
  Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
  Edit that alarm and set it to disabled

• Win 2008 R2 radius integration with WLC 5508

  Requires help in integrating Win 2008 R2 Radius server with WLC 5508

  Step by Step instructions - NPS & Wireless LAN Controller
  PEAP Authentication - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
  EAP-TLS
  https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication
  hope that helps, Please let me know if you have any other questions in regards to setting up your NPS server
  Please rate that post if it answers your question or helps you  to resolve the problem.

• Cannot ping IAS RADIUS from WLC 2504

  I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server.  All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server.  The only thing that cannot ping the RADIUS server is the WLC itself.  Nothing in the FW is blocking connectivity.  Any ideas?
  (Cisco Controller) >show radius summ
  Vendor Id Backward Compatibility................. Disabled
  Call Station Id Case............................. lower
  Call Station Id Type............................. IP Address
  Aggressive Failover.............................. Disabled
  Keywrap.......................................... Disabled
  Fallback Test:
      Test Mode.................................... Off
      Probe User Name.............................. cisco-probe
      Interval (in seconds)........................ 300
  MAC Delimiter for Authentication Messages........ none
  MAC Delimiter for Accounting Messages............ hyphen
  Authentication Servers
  Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  1    NM    10.10.50.63       1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
  2    NM    10.10.50.130      1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
  Accounting Servers
  Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  1      N     10.10.50.63       1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none
  2      N     10.10.50.130      1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none

  It's in the arp cache through the default router
  (Cisco Controller) >show interface detailed management
  Interface Name................................... management
  MAC Address...................................... d0:c2:82:df:5b:c0
  IP Address....................................... 10.30.72.250
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.30.72.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. untagged
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1
  Primary Physical Port............................ 1
  Backup Physical Port............................. Unconfigured
  Primary DHCP Server.............................. 10.10.10.65
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Disabled
  (Cisco Controller) >show arp switch
  Number of arp entries................................ 19
      MAC Address        IP Address     Port   VLAN   Type
  50:57:A8:D6:DE:C0   10.10.19.1       1      5      Host
  50:57:A8:D6:DE:C0   10.10.20.138     1      5      Host
  50:57:A8:D6:DE:C0   10.10.50.63      1      5      Host
  64:00:F1:08:A0:D0   10.30.72.1       1      0      Host
  50:57:A8:9E:B5:CD   10.30.72.40      1      0      Host
  50:57:A8:A1:7B:C5   10.30.72.44      1      0      Host
  50:57:A8:9E:99:78   10.30.72.48      1      0      Host
  50:57:A8:3B:66:E3   10.30.72.49      1      0      Host
  00:07:7D:43:23:DA   10.30.72.58      1      0      Host
  50:57:A8:9E:B6:1D   10.30.72.59      1      0      Host
  50:57:A8:9E:95:C5   10.30.72.60      1      0      Host
  50:57:A8:A1:7C:0D   10.30.72.61      1      0      Host
  00:07:7D:65:36:DD   10.30.72.62      1      0      Host
  50:57:A8:44:57:0C   10.30.72.63      1      0      Host
  50:57:A8:CA:CC:01   10.30.72.64      1      0      Host

• EAP-TLS not working on WinXP client, but does work on W2k?

  Hi
  So I've got EAP-TLS setup using a W2K IAS server as RADIUS, W2K certificate server and cisco 1100 APs. I've got computer certs on four notebooks of which 2 are W2k and the other two are XP. On the W2k PCs I am able to pop in my wireless 350 card and get an IP before logging in (as seen via the dhcp server) and then once logged in, the user cert is used to further authenticate and remain connected to the network (as seen via the IAS logs). Yet when I try to pop in my wireless card on the XP PCs, I get no IP address and nothing ever shows up in the IAS logs...the 1100 ap says that its associated but nothing more. Does anyone have any ideas. Thanks
  Jason

  Jason,
  Can you authenticate from the XP clients using LEAP or something other then EAP-TLS?
  If not i would look at upgrading the 350 card drivers on the XP machines to the latest.
  I have had problems before using the cardbus pcmcia adapters on XP, when i installed the latest drivers it worked.
  Let me know how you get on?
  Rgds,
  Paddy

• EAP-TLS Questions....

  Hi all,
  My setup is like this..
  Laptop - LWAPP - WLC - ACS - AD
  I m using CA to generate certificate.. I have configured EAP-TLS on WLC & ACS SE. Everything is working fine ie when i issue a certificate from CA on my AD login name & install that certificate i m able to connect to WLAN.. For security on WLC i have enable WPA & 802.1x...
  What i want is that when i boot up the laptop it should directly get connected to Wireless network & whne i try to login using my user name & password it should prompt for if my password is expired or something & get connected to AD. But this is not happening which use to happen when we were using peap as it ask for username & paswword to connect but not in case of EAP_TLS it only check for valid certificates....
  Thanks in advance..
  regards,
  piyush

  Hi Fella,
  i had one more issue ie want to do perform machine authentication as the laptops boot up along with the user authentication hen the users logs in.
  I had set AuthMode value to 1 for it. But how should i check on my ACS SE that the machine is authenticated or not & is it possible that during login using username & password the WLAN should get connected as it is for ethernet LAN.
  Thanks for ur reply..
  Piyush

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

  Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at.  Customer is using EAP-TLS with and everything appears to setup properly.  Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
  12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
  OpenSSL messages are:
  SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
  certificate ex pi red"'
  4 727850450.3616:error.140890B2: SS L
  rOYbne s: SSL 3_  G ET _CL IE NT  _CE RT IF ICAT E:no ce rtific ate
  relurned: s3_ srvr.c: 272 0
  I'm not sure if this is cosmetic or if this is something that I should be tracking down.  System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain.  Any ideas what to check?

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

  Hello,
  Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
  Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
  Did anyone have similar problems with Windows 8/81?
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
  0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
  *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
  Any hint would be great .... Thank you...

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn