EAP-TLS or PEAP authentication failed during SSL handshake error

I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
Thanks for the help

My experience suggests that the problem is the certificate.
I'm running ACS 3.3.
I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
Correctly following the instructions led to a successful connection and no more error message.

Similar Messages

  • EAP-TLS or PEAP authentication failed during SSL handshake

    Hi Pros,
                   I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
    When I check my log in the failed attemps, there is what I found:
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    06/23/2010
    17:39:51
    Authen failed
    000e.9b6e.e834
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1101
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Networ
    06/23/2010
    17:39:50
    Authen failed
    [email protected]
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1098
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Network
    [email protected] = my windows active directory name
    1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
    2. Why sometimes it just shows the MAC of the client for username?
    3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
    2. Secondly, When I check in pass authentications... there is what i saw
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    NAS-Port
    NAS-IP-Address
    Network Access Profile Name
    Shared RAC
    Downloadable ACL
    System-Posture-Token
    Application-Posture-Token
    Reason
    EAP Type
    EAP Type Name
    PEAP/EAP-FAST-Clear-Name
    Access Device
    Network Device Group
    06/23/2010
    17:30:49
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    06/23/2010
    17:29:27
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
    Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
    Thanks in advance for your help,
    Crazy---

    Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
    My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
    Let's brain storm together to figure out this guys.
    Thanks in advance,
    ----Paul

  • EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

    We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
    experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
    We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
    Thanks..

    Here are some configs you can try:
    config advanced eap identity-request-timeout 120
    config advanced eap identity-request-retries 20
    config advanced eap request-timeout 120
    config advanced eap request-retries 20
    save config

  • EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

    Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
    Does anyone have any ideas how to troubleshoot this problem with the appliance?

    If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
    AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
    SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
    AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
    SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

  • EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

    Hi All ,
                 I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
                 I have downloaded client supplicant certficate file for my windows XP machine .
    When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
    Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
    Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

    Hello,
    I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
    Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
    -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
    -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
    -          Delete the wireless network from the computer
    -          REBOOT!!
    -          Open the Microsoft Management Console, “mmc”.
    -          Go FILE\Add Remove SnapIn. Select Certificates ..
    -          If promoted, do it for “My User Account”.
    -          Make sure the certificates are where you put them. 
    -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
    -          Redo wireless network setup again
    I hope this helps you.
    Mike

  • EAP TLS authentication failed during SSL handshake

    We see this message, trying to set up EAP TLS. Anyone come across this ?

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

    Hi Pros,
                   I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
    When I check my log in the failed attemps, there is what I found:
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    06/23/2010
    17:39:51
    Authen failed
    000e.9b6e.e834
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1101
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Networ
    06/23/2010
    17:39:50
    Authen failed
    [email protected]
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1098
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Network
    [email protected]
    = my windows active directory name
    1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
    2. Why sometimes it just shows the MAC of the client for username?
    3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
    2. Secondly, When I check in pass authentications... there is what i saw
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    NAS-Port
    NAS-IP-Address
    Network Access Profile Name
    Shared RAC
    Downloadable ACL
    System-Posture-Token
    Application-Posture-Token
    Reason
    EAP Type
    EAP Type Name
    PEAP/EAP-FAST-Clear-Name
    Access Device
    Network Device Group
    06/23/2010
    17:30:49
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    06/23/2010
    17:29:27
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
    Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
    Thanks in advance for your help,
    Crazy---

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • Error during SSL handshake

    Hi,
    I am getting the "Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" error during SSL handshake.
    I am implementing SSL authentication in custom JCA adapter. I have the keypairs in the DEFAULT view in keystorage and the public key of server in services_ssl view. I am able to access the certificated by doing a looklup. Below is the implementation
    KeystoreManager manager = (KeystoreManager)ctx.lookup("keystore");
    trustKeyStore = manager.getKeystore("service_ssl");
    keyStore = manager.getKeystore("DEFAULT);
    KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(
    KeyManagerFactory.getDefaultAlgorithm());
    kmfactory.init(keyStore, null);
    KeyManager[] kmanager= kmfactory.getKeyManagers();
    TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
    TrustManagerFactory.getDefaultAlgorithm());
    tmfactory.init(trustKeyStore);
    TrustManager[] trustmanagers = tmfactory.getTrustManagers();
    SSLContext sslcontext = SSLContext.getInstance("SSL");
    sslcontext.init(keymanagers, trustManagers, null);
    I am able to get the contents of DEFAULT view and services_ssl view. When i try to connect to the server using httpClient.executeMethod() i am getting the below.
    Is this the correct way to initialize the SSL context? Any info on this will be really helpful.
    Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
         at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
         at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
         at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:618)
         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
         at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
         at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
         at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
         at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
         at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
         at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:395)
         at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
         at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
         at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
         ... 10 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
         at sun.security.validator.Validator.validate(Validator.java:203)
         at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
         at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
         at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
         ... 27 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
         at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
         at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
    Thanks

    You need to re-add the host using the mkhost command, that will rewrite the wallet for you.
    Thanks
    Rich

  • Weblogic server 10.3.5 error during SSL handshake

    Please some one help to figure the issue with following logs.
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 33092690>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 33095418>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <33092490 SSL Version data invalid>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Connection to SSL port from Sa-PC - 150.1.104.124 appears to be either unknown SSL version or maybe is plaintext>
    <16-Jan-2013 18:40:40 o'clock GMT> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer Sa-PC - 150.1.104.124 during SSL handshake.>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 70
    java.lang.Exception: New alert stack
         at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
         at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
         at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
         at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
         at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
         at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
    >
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33092490>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33092490>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 33092690>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <33095215 SSL Version data invalid>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <Connection to SSL port from Sa-PC - 150.1.104.124 appears to be either unknown SSL version or maybe is plaintext>
    <16-Jan-2013 18:40:40 o'clock GMT> <Warning> <Security> <BEA-090476> <Invalid/unknown SSL header was received from peer Sa-PC - 150.1.104.124 during SSL handshake.>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 70
    java.lang.Exception: New alert stack
         at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
         at com.certicom.tls.record.ReadHandler.getProtocolVersion(Unknown Source)
         at com.certicom.tls.record.ReadHandler.checkVersion(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
         at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
         at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
         at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
         at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
    >
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33095215>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 33095215>
    <16-Jan-2013 18:40:40 o'clock GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 33095418>
    I just created domain with http and https ports. I installed an web app. When I am trying to access the app from browser through https the above error is occurring.
    Please somebody help me.
    Thanks in advance.
    SK

    This message indicates that the SSL connection is closed successfully. It is a warning message and normal to see in the logs when you enable the SSL debug flags. This is an expected behavior. If you see alerts when SSL debug is NOT ENABLED then it is a real alert and we need to take care of those issues. Also, it is not a real alert, it is a caught and handled exception from the certicom code which is not harmful and should be ignored, just because you have enabled the SSL debug flag. Once you turn it off, you won't see it in the logs.
    Edited by: sharmela on Jan 22, 2013 4:55 AM

  • How to Uninstall SQL instance on active-passive SQL server , which failed during Cluster Setup (Error-Failed at Validate Active Directory Configuration)

    How to Uninstall SQL instance on active-passive SQL server , which failed during Cluster Setup (Error-Failed at Validate Active Directory Configuration)
    active-passive SQL server cluster setup failed due to some steps missed in initial cluster setup,
    now i have unistall sql instance from nodes,
    Your help will higly appriciated.
    Regards,
    Anish
    Asandeen

    Hello,
    Please refer to the following link about remove a node of  SQL Server Failover Cluster Instance:
    http://msdn.microsoft.com/en-us/library/ms191545.aspx#Remove
    Regards,
    Fanny Liu
    Fanny Liu
    TechNet Community Support

  • SSL Handshake Error in Android (ADF Mobile)

    Hi Guys,
    Now I am tried to using "https" Web service with my application, but seems show SSL handshake error specially in Android only, iOS is totally working.
    Log from Android is
    09-27 18:09:03.252: I/System.out(30444): [SEVERE - oracle.adfmf.framework - adf.mf.internal - logError] Request:  {classname: oracle.adfmf.framework.api.Model; method: processBatchRequests; params: [0: false][1: [0: {classname: oracle.adfmf.framework.api.Model; method: evaluateMethodExpression; params: [0: #{bindings.AgentAuthenCDKey.execute}][1: [0: {.type: oracle.adfmf.amx.event.ActionEvent; }]][2: void][3: [0: oracle.adfmf.amx.event.ActionEvent]]; }]]; } exception:  {message: SSL handshake failure; errorCode: 409; .type: oracle.adfmf.framework.exception.AdfInvocationRuntimeException; .exception: true; severity: ERROR; errorCategory: WEBSERVICE; }
    How to solved this one ?
    ** If my android didn't connect to internet, it still show "SSL handshake error" too, that so weird !

    Hi,
    Sorry to bump this, but I have the exact same problem. "SSL Handshake Error" when calling SSL enabled web services - works fine on iOS, but not on Android, which implies to me a problem with the framework rather than my certificate?
    : D/CVM(985): [SEVERE - oracle.adfmf.framework - Utility - invoke] InvocationTargetException Error: ERROR [oracle.adfmf.framework.exception.AdfInvocationRuntimeException] - SSL handshake failure
    I'm on JDeveloper 11.1.2.4, ADF Mobile Framework 11.1.2.4.39.64.51.
    Are there any known issues with ADF Mobile/SSL on Android?
    Any help is much appreciated.
    Rich.

  • ISE 1.2 EAP-TLS and AD authentication

    Hi,
    I am sure I have had this working but Just cant get it to now.
    So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
    My Authentication profile says
    IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
    Then my authorization profile says
    if active directoy group = "Domian computers" then allow access.
    When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
    24433          Looking up machine in Active Directory - [email protected]
    24492          Machine authentication against Active Directory has failed
    22059          The advanced option that is configured for process failure is used
    22062          The 'Drop' advanced option is configured in case of a failed authentication request
    But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
    Cheers

    This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
    This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

  • Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

    Hello,
    I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
    In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
    Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
    Any way to resolve this?
    Thanks,
    Steve

    You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
    an example (uses user/pass though, but same concept)
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

    Hello all,
    I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
    His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
    We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
    The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
    When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
    All of this appears to be successful the first time.
    If we disassociate the machine, the problems start. The accounting STOP message is never sent.
    Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
    Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
    My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
    IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
    Thanks
    Gustavo

    Assuming you're using the stock XP wifi client.
    When running XPSP3, you need to set two things:
    1) force one registry setting.
    According to
    http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
    You need to force usage of machine cert-store certificate:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
    "AuthMode"=dword:00000002
    2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
    - show available wireless networks
    - change advanced settings
    - wireless networks tab
    - select your SSID, and then hit the "properties" button
    - select authentication tab, and then hit "properties" button
    - search for your signing CA, and check the box.
    I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
    Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
    please cross reference to
    https://supportforums.cisco.com/message/3280232
    for a better description of the whole setup.
    Ivan

  • 802.1x eap-tls machine + user authentication (wired)

    Hi everybody,
    right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
    You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
    Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
    1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
    <key>SetupModes</key>
    <array>
        <string>System</string>
        <string>Loginwindow</string>
    </array>
    <key>PayloadScope</key>
        <string>System</string>
    but it does not work
    2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
    Thanks

    Unfortunatelly this documents do not describe how to do what I want.
    I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
    I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
    Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
    Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
    Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
    Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
    this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
    The certificates are in my System keychain.
    Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
    Any ideas ?

Maybe you are looking for

  • Asset accounting year end closing.

    hi guru,r i have one issue with asset account fiscal year clsoing. when we run the AJAB,it was throwing error, saying that one of the asset is not posted depreciation completely. for this message there is an asset which was disposed off in period 12

  • Connect to SQL Server from Oracle

    Does Oracle offer any connectivity to NON-Oracle databases such as SQL Server from within the Oracle database itself, similar to a database link ?

  • Standered business package for BI reports with SAP EP Integration

    Hi Friends, I want to know is there any standered business package for integrating BI content with SAP enterprise portal.As i heard the business package come up with predefined iview and which can be customized as per our requirement . I have worked

  • Delete folders that contain topics?

    Hello: Is it possible to delete folders that contain topics? I have been trying to do this with Project Manager but the delete option is dimmed. I can delete folders that do not contain topics. The project is on a network.  The Clear Project Cache (c

  • Updated to ios7. I can't see how to edit or forward texts c

    Updated phone. How do I edit or forward texts?