EAP-TLS on WLC 5508 agains IAS RADIUS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi, anyone experienced issue like this?
I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
I got “Access-Accept” debug message received from RADIUS server.
However the wireless client failed to connect.
Below is partially the debug message from the WLC
Any feedbacks are welcome
*Oct 07 15:08:24.403: Callback.....................................0x10c527d0
*Oct 07 15:08:24.403: protocolType.................................0x00140001
*Oct 07 15:08:24.403: proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.403: Packet contains 12 AVPs (not shown)
*Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
*Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b f7 c9 71 dd 32 cb b7 0a .e........q.2...
*Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f 73 74 2f 49 44 31 30 2d R..>."host/ID10-
*Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 65 73 74 0AFJ031.euc.test
*Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13 30 30 2d 31 39 2d 37 64 01.com..00-19-7d
*Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33 62 1e 1a 30 30 2d 33 61 -72-b4-3b..00-3a
*Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34 36 2d 35 30 3a 57 57 53 -98-95-46-50:TES
*Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00 01 04 06 0a 56 0c d2 20 300.........V...
*Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43 30 30 31 1a 0c 00 00 37 .IDHOJXC001....7
*Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06 06 00 00 00 02 0c 06 00 c...............
*Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00 13 4f 27 02 03 00 25 01 ...=.....O'...%.
*Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31 30 2d 30 41 46 4a 30 33 host/ID10-0AFJ03
*Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65 73 74 6c 65 2e 63 6f 6d 1.euc.nestle.com
*Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52 8e 63 0f 2f 87 a5 78 53 P...T.&R.c./..xS
*Oct 07 15:08:24.404: 000000d0: 68 6e hn
*Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35 f7 be 57 75 43 ce 19 ca .e.4>.g5..WuC...
*Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1 03 a2 00 00 01 37 00 01 .]....1......7..
*Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b 13 1e 16 37 00 00 00 00 .V.i..c....7....
*Oct 07 15:08:24.405: 00000030: 00 00 00 5f ..._
*Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
*Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
*Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
*Oct 07 15:08:24.405: structureSize................................78
*Oct 07 15:08:24.405: resultCode...................................0
*Oct 07 15:08:24.405: protocolUsed.................................0x00000001
*Oct 07 15:08:24.405: proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.405: Packet contains 1 AVPs:
*Oct 07 15:08:24.405: AVP[01] Class....................................DATA (30 bytes)
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
source: 4, valid bits: 0x0
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
source: 4, valid bits: 0x0
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04 ........
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000060: 00 00 00 ...
*Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000060: 00 00 00 ...
*Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000060: 00 00 00 ...
*Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.753: 00000030: 69 64 3d 31 id=1
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.760: 00000000: 01 01 00 00 00 .....
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.760: 00000030: 69 64 3d 31 id=1
*Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f 6d est01.com
*Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f 6d est01.com
*Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c
Thanks for your reply jedubois
Really appreciate it.
I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
Below are the outputs for the eap advanced config
(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 2
(Cisco Controller) >
Any other suggestion?
Similar Messages
-
EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s
We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
FabianThe policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU. -
Hi,
I need to deploy certificate based authentication for some Intermec client devices for a customer. I am planning to use a separate SSID for this. There are other already existing SSID's which have radius based authentication.
question : if i dont select any radius server for this eap tls ssid and select only 'LEAP' , will it work ? Or will the WLC still search for the already defined radius servers and fail authentication ?
question2 : if above is not possible, i will have to go for eap tls with ACS . anybody has got easy steps to get eap tls up and running ? (LAP 1252, wlc 4400, acs 4.1, windows CA )
regards
Joewireless wlc,
The WLC side and the radius side is basically setup the same as you would for PEAP. The only difference is if your policy you create in the radius specifies a certain eap type. If not, then you don't have to worry about that. The main thing is that you have a valid computer cert and users cert. You can verify this by the device wireless profile and on Windows 7 you select user authentication or computer authentication. If one works and the other doesn't, then you knop which cert is missing. Selecting user and computer will check for both. Vlaidat server certificate should only be cheked if the CA is in the Trusted Server Certificate Store. The CA must be trusted on the domain controller and the IAS, NPS server also. -
EAP-TLS with WLC 5.2.178 Improve Performance and Roams?
Good Morning...
I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.
-
Trying to implement EAP/TLS using java (as part of RADIUS server)
Hi
This is a cross port since I didn't know which forum to post in!
I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
KeyStore ksKeys = KeyStore.getInstance("JKS");
ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ksKeys, passphrase);
KeyStore ksTrust = KeyStore.getInstance("JKS");
ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ksKeys);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setWantClientAuth(true);
sslEngine.setEnableSessionCreation(true);
appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
appBuffer.clear();
netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
netBuffer.clear();All I want to do with TLS is a handshake.
I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
SSLEngineResult result = null;
SSLEngineResult.HandshakeStatus hsStatus = null;
if( internalState != EAPTLSState.Handshaking ) {
if( internalState == EAPTLSState.None ) {
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
peerIdentity = tlsPacket.getData();
internalState = EAPTLSState.Starting;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
return;
else if(internalState == EAPTLSState.Starting ) {
internalState = EAPTLSState.Handshaking;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
netBuffer.put( tlsPacket.getData() );
netBuffer.flip();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
try {
result = sslEngine.unwrap( netBuffer, appBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
return;
}When I try to send data I use the following code:
SSLEngineResult.HandshakeStatus hsStatus = null;
SSLEngineResult result = null;
// netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
netBuffer.clear();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
try {
result = sslEngine.wrap( dummyBuffer, netBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
int size = Math.min(result.bytesProduced(),this.MTU);
byte [] tlsData = new byte[size];
netBuffer.flip();
netBuffer.get(tlsData,0,size);
TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
if( size < result.bytesProduced() ) {
tlsPacket.setFlag(TLSFlag.MoreFragments);
return new EAPTLSRequestPacket( ID,
(short)(tlsPacket.getData().length + 6),
stateMachine.getCurrentMethod(), tlsPacket );
else {
return null;
}After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
Any help wold be most greatfull, if any questions or anything unclear plz let me know.
add some additional information here is a debug output
Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
[Raw read]: length = 5
0000: 16 03 01 00 41 ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-2, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
50, 201 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
[read] MD5 and SHA1 hashes: len = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-5, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
ception: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
92)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
mpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
pl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
26)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
va:153)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
eMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
ava:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
rHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
haker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
ndshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
95)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
java:930)
... 1 moreI am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?
-
IPhone and EAP-TLS with ACS & 5508
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I have a large customer that is moving into a new building and adding some
new wireless.
They are using a 5508 with 1142's and an ACS server.
They will have the following SSID's
SSID01 -> WPA-EAP-TLS
SSID02 -> WPA2-EAP-TLS (future use)
SSID03 -> Guest Access (internet access only)
They currently use this design across the enterprise which has worked well.
The problem is to get certificates pushed down to the client for the EAP-TLS
they always connect the machine once by wire and log on to the domain so a
GPO pushes the cert to the machine.
This creates a problem that I don't know how to solve as they want to use
iPhones on the new deployment.
Does anyone have any ideas on how to get a cert down to the iPhones for use
with the SSID's?
Thanks in advance for any assistance.I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid from which clients can download and install cert. ?
-
WLC 5508 and Microsoft Radius Server 2008
Hi, I am trying to setup WLC 5508 for a customer who want to use MS NPS for Radius authentication, however there aren't many good documents showing how to configure the MS NPS.
I have couple of questions:
1, Does WLC 5508 support MS NPS on Server 2008 R2?
2, Are there any good document showing how to configure this?
ThanksHadisharifi,
There is no single document that we can pick for configuring WLC and NPS. However, you may visit the below listed document for NPS and WLC side configuration:
Configure the WLC for RADIUS Authentication through an External RADIUS Server
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c2
Fo the NPS side configuration, you may consider the attached document.
Regds,
JK
Do rate helpful posts- -
ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently
I'm getting this error in ISE referring to my Cisco 5508 WLC. I'm not sure how to turn down the frequency. Any ideas?
NAS sends RADIUS accounting update messages too frequently
Verify NAS configuration. Verify known NAS issues.I opened up a TAC case with Cisco yesterday and this is the response i got from them:
There is bug on the WLC side to reduce the number acct updates:
CSCug14713- WLC sends acct-update twice in the same millisecond
This is fixed in 8.x on the WLC.
So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
Edit that alarm and set it to disabled -
Win 2008 R2 radius integration with WLC 5508
Requires help in integrating Win 2008 R2 Radius server with WLC 5508
Step by Step instructions - NPS & Wireless LAN Controller
PEAP Authentication - http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html
EAP-TLS
https://kb.meraki.com/knowledge_base/radius-creating-a-policy-in-nps-to-support-eap-tls-authentication
hope that helps, Please let me know if you have any other questions in regards to setting up your NPS server
Please rate that post if it answers your question or helps you to resolve the problem. -
Cannot ping IAS RADIUS from WLC 2504
I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server. All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server. The only thing that cannot ping the RADIUS server is the WLC itself. Nothing in the FW is blocking connectivity. Any ideas?
(Cisco Controller) >show radius summ
Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Disabled
Keywrap.......................................... Disabled
Fallback Test:
Test Mode.................................... Off
Probe User Name.............................. cisco-probe
Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ none
MAC Delimiter for Accounting Messages............ hyphen
Authentication Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
1 NM 10.10.50.63 1645 Enabled 5 Enabled Disabled - none/unknown/group-0/0 none/none
2 NM 10.10.50.130 1645 Enabled 5 Enabled Disabled - none/unknown/group-0/0 none/none
Accounting Servers
Idx Type Server Address Port State Tout RFC3576 IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
1 N 10.10.50.63 1646 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/none
2 N 10.10.50.130 1646 Enabled 5 N/A Disabled - none/unknown/group-0/0 none/noneIt's in the arp cache through the default router
(Cisco Controller) >show interface detailed management
Interface Name................................... management
MAC Address...................................... d0:c2:82:df:5b:c0
IP Address....................................... 10.30.72.250
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.30.72.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.10.10.65
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled
(Cisco Controller) >show arp switch
Number of arp entries................................ 19
MAC Address IP Address Port VLAN Type
50:57:A8:D6:DE:C0 10.10.19.1 1 5 Host
50:57:A8:D6:DE:C0 10.10.20.138 1 5 Host
50:57:A8:D6:DE:C0 10.10.50.63 1 5 Host
64:00:F1:08:A0:D0 10.30.72.1 1 0 Host
50:57:A8:9E:B5:CD 10.30.72.40 1 0 Host
50:57:A8:A1:7B:C5 10.30.72.44 1 0 Host
50:57:A8:9E:99:78 10.30.72.48 1 0 Host
50:57:A8:3B:66:E3 10.30.72.49 1 0 Host
00:07:7D:43:23:DA 10.30.72.58 1 0 Host
50:57:A8:9E:B6:1D 10.30.72.59 1 0 Host
50:57:A8:9E:95:C5 10.30.72.60 1 0 Host
50:57:A8:A1:7C:0D 10.30.72.61 1 0 Host
00:07:7D:65:36:DD 10.30.72.62 1 0 Host
50:57:A8:44:57:0C 10.30.72.63 1 0 Host
50:57:A8:CA:CC:01 10.30.72.64 1 0 Host -
EAP-TLS not working on WinXP client, but does work on W2k?
Hi
So I've got EAP-TLS setup using a W2K IAS server as RADIUS, W2K certificate server and cisco 1100 APs. I've got computer certs on four notebooks of which 2 are W2k and the other two are XP. On the W2k PCs I am able to pop in my wireless 350 card and get an IP before logging in (as seen via the dhcp server) and then once logged in, the user cert is used to further authenticate and remain connected to the network (as seen via the IAS logs). Yet when I try to pop in my wireless card on the XP PCs, I get no IP address and nothing ever shows up in the IAS logs...the 1100 ap says that its associated but nothing more. Does anyone have any ideas. Thanks
JasonJason,
Can you authenticate from the XP clients using LEAP or something other then EAP-TLS?
If not i would look at upgrading the 350 card drivers on the XP machines to the latest.
I have had problems before using the cardbus pcmcia adapters on XP, when i installed the latest drivers it worked.
Let me know how you get on?
Rgds,
Paddy -
EAP-TLS Questions....
Hi all,
My setup is like this..
Laptop - LWAPP - WLC - ACS - AD
I m using CA to generate certificate.. I have configured EAP-TLS on WLC & ACS SE. Everything is working fine ie when i issue a certificate from CA on my AD login name & install that certificate i m able to connect to WLAN.. For security on WLC i have enable WPA & 802.1x...
What i want is that when i boot up the laptop it should directly get connected to Wireless network & whne i try to login using my user name & password it should prompt for if my password is expired or something & get connected to AD. But this is not happening which use to happen when we were using peap as it ask for username & paswword to connect but not in case of EAP_TLS it only check for valid certificates....
Thanks in advance..
regards,
piyushHi Fella,
i had one more issue ie want to do perform machine authentication as the laptops boot up along with the user authentication hen the users logs in.
I had set AuthMode value to 1 for it. But how should i check on my ACS SE that the machine is authenticated or not & is it possible that during login using username & password the WLAN should get connected as it is for ethernet LAN.
Thanks for ur reply..
Piyush -
Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS
Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik -
ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working
Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at. Customer is using EAP-TLS with and everything appears to setup properly. Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
OpenSSL messages are:
SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
certificate ex pi red"'
4 727850450.3616:error.140890B2: SS L
rOYbne s: SSL 3_ G ET _CL IE NT _CE RT IF ICAT E:no ce rtific ate
relurned: s3_ srvr.c: 272 0
I'm not sure if this is cosmetic or if this is something that I should be tracking down. System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain. Any ideas what to check?Hello Dino,
thanks very much for your reply.
The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI. The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
I suspect the cert-setup itself, but don't get a clue where this might stuck...
Björn -
WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI
Hello,
Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
Did anyone have similar problems with Windows 8/81?
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
*osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
Any hint would be great .... Thank you...Hello Dino,
thanks very much for your reply.
The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI. The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
I suspect the cert-setup itself, but don't get a clue where this might stuck...
Björn
Maybe you are looking for
-
Hi guys, I have a .avi file in my recycle bin, but when I empty my recycle bin it always says "The operation can't be completed because the item "The Polar Express.avi" is in use. Well, it isn't in use and my Mac has been rebooted a number of times s
-
help...i cant seem to sort this out and itunes are really doing my head in...keeps saying check you have the right version when i have the most up to date version of itunes, it tells me to restart the computer and i do..then it still doesnt work and
-
Photoshop CS6 can't/won't open TIFF file created in photoshop CS3
Earlier this year, I was still using CS3. I created a bunch of original TIFF files, and modified files which had been created in CS1. When I am having to go back and reference these CS3 TIFFs, some of them are giving me an error message and refusing
-
Help needed (Release Order from ME29N)
Hello, We are facing problem while releasing the purchase order from transaction me29n. System is generating an email saying Update terminated with following message: Update was terminated System ID.... UD5 Client....... 052 User..... RCT3982 Trans
-
'Standard Role' 'User' 'Business Partner' and 'Internet User'
hii Currently I m working on E-Recruitment 6.0 BSP's.. Can somebody explain me.... 1) 'Role' 'User' 'Business Partner' and 'Internet User' Kindly help me undertand the relation between the above mentioned IDs and there creation 2) I have created Busi