EAP-TLS or PEAP on PDA

Hi,
I plan to implement IEEE 802.1x running either PEAP or EAP_TLS on HTC smartphone with Windows Mobile 6.0.
The RADIUS servers used is ACS 4.2.
I would like to know if there is anyone successfully implemented the above scenario? Can you provide the guide to deploy it?
Thanks.
Delon

My experience suggests that the problem is the certificate.
I'm running ACS 3.3.
I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
Correctly following the instructions led to a successful connection and no more error message.

Similar Messages

  • EAP-TLS or PEAP authentication failed during SSL handshake

    Hi Pros,
                   I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
    When I check my log in the failed attemps, there is what I found:
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    06/23/2010
    17:39:51
    Authen failed
    000e.9b6e.e834
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1101
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Networ
    06/23/2010
    17:39:50
    Authen failed
    [email protected]
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1098
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Network
    [email protected] = my windows active directory name
    1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
    2. Why sometimes it just shows the MAC of the client for username?
    3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
    2. Secondly, When I check in pass authentications... there is what i saw
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    NAS-Port
    NAS-IP-Address
    Network Access Profile Name
    Shared RAC
    Downloadable ACL
    System-Posture-Token
    Application-Posture-Token
    Reason
    EAP Type
    EAP Type Name
    PEAP/EAP-FAST-Clear-Name
    Access Device
    Network Device Group
    06/23/2010
    17:30:49
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    06/23/2010
    17:29:27
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
    Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
    Thanks in advance for your help,
    Crazy---

    Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
    My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
    Let's brain storm together to figure out this guys.
    Thanks in advance,
    ----Paul

  • EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

    Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
    Does anyone have any ideas how to troubleshoot this problem with the appliance?

    If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
    AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
    SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
    AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
    SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

  • EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

    Hi All ,
                 I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
                 I have downloaded client supplicant certficate file for my windows XP machine .
    When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
    Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
    Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

    Hello,
    I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
    Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
    -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
    -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
    -          Delete the wireless network from the computer
    -          REBOOT!!
    -          Open the Microsoft Management Console, “mmc”.
    -          Go FILE\Add Remove SnapIn. Select Certificates ..
    -          If promoted, do it for “My User Account”.
    -          Make sure the certificates are where you put them. 
    -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
    -          Redo wireless network setup again
    I hope this helps you.
    Mike

  • EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

    We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
    experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
    We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
    Thanks..

    Here are some configs you can try:
    config advanced eap identity-request-timeout 120
    config advanced eap identity-request-retries 20
    config advanced eap request-timeout 120
    config advanced eap request-retries 20
    save config

  • EAP-TLS or PEAP authentication failed during SSL handshake error

    I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
    The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
    Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
    Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
    Thanks for the help

    My experience suggests that the problem is the certificate.
    I'm running ACS 3.3.
    I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
    Correctly following the instructions led to a successful connection and no more error message.

  • EAP-TLS and PEAP/MSCHAPv2 on non-domain equipment

    I'm not entirely sure this is the correct forum so I apologize. I'm merely having trouble finding the Network Policy Services forum. In short, I could use some answers to the following questions:
    Is it possible to do EAP-TLS Machine authentication with non-domain machines? Would this require 8.1's "Workplace Join" scenario?
    Can I do EAP-TLS User Authentication on non-domain machines?
    Is it possible to use a different RADIUS realm name than the internal domain structure? Something easier for the users to type and remember? Can I do that with NPS configured in Proxy mode?

    Hi,
    Based on my experience,
    EAP-TLS is only available for members of a domain.
    For non-domain member computers, the certificate must be manually imported into the certificate store or obtained by using the Web enrollment tool.
    You can specify a realm name and user name syntax in the
    Connection Manager profile so that the user only has to specify the user account name when typing their credentials during network connection attempts.
    In addition, you can also deploy NPS as a
    RADIUS proxy on your network.
    More detailed information, please refer to the following links:
    EAP
    http://technet.microsoft.com/en-us/library/cc757996(v=WS.10).aspx
    Certificates and NPS
    http://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx
    Realm names
    http://technet.microsoft.com/en-us/library/cc731342(v=WS.10).aspx
    Planning NPS as a RADIUS proxy
    http://technet.microsoft.com/en-us/library/dd197525(v=WS.10).aspx
    Best regards,
    Susie Long

  • EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

    Hi Pros,
                   I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
    When I check my log in the failed attemps, there is what I found:
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    06/23/2010
    17:39:51
    Authen failed
    000e.9b6e.e834
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1101
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Networ
    06/23/2010
    17:39:50
    Authen failed
    [email protected]
    Default Group
    000e.9b6e.e834
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    1098
    10.111.22.24
    25
    MS-PEAP
    wbr-1121-zozo-test
    Office Network
    [email protected]
    = my windows active directory name
    1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
    2. Why sometimes it just shows the MAC of the client for username?
    3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
    2. Secondly, When I check in pass authentications... there is what i saw
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    NAS-Port
    NAS-IP-Address
    Network Access Profile Name
    Shared RAC
    Downloadable ACL
    System-Posture-Token
    Application-Posture-Token
    Reason
    EAP Type
    EAP Type Name
    PEAP/EAP-FAST-Clear-Name
    Access Device
    Network Device Group
    06/23/2010
    17:30:49
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    06/23/2010
    17:29:27
    Authen OK
    groszozo
    NOC Tier 2
    10.11.10.105
    1
    10.111.22.24
    (Default)
    wbr-1121-zozo-test
    Office Network
    In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
    Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
    Thanks in advance for your help,
    Crazy---

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.

    We have: ap Cisco AiroNet350 with WPA-EAP, Freeradius with configured EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2.
    This problem discribed at http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
    Maybe to solve this problem we need a fix ( http://support.microsoft.com/kb/885453/en-us ), but microsoft support tells to contact with notebook manufacturer.
    Can anybody help me with this problem?

    Hmmm Im not expert on this field but it seems that the MS OS update is need. (I hope)
    The preinstalled Windows OS is a simply OEM version and usually every updates should be possible. However, if the MS guys told you to contact the notebook manufacture so you can contact the Toshiba authorized service provider in your country for more details.
    But I have investigated a little bit in the net and found this useful site:
    http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci945257,00.html
    1. 802.1X depends on communication between your wireless router and a RADIUS authentication server. Whether you're using WPA2, WPA, or WEP with dynamic keys, the following 802.1X debugging hints can be helpful:
    a. Re-enter the same RADIUS secret into your wireless router and RADIUS server.
    b. Configure your RADIUS server to accept RADIUS request from your router's IP address.
    c. Use ping to verify router-to-server reachability.
    d. Watch LAN packet counts to verify that RADIUS requests and responses are flowing.
    e. Use an Ethernet analyzer like Ethereal to watch RADIUS success/failure messages.
    f. For XP SP2, turn on Wzctrace.log by entering "netsh ras set tracing * enabled"
    2. If RADIUS is flowing but access requests are being rejected, you may have an 802.1X Extensible Authentication Protocol (EAP) mismatch or credential problem. Fixing this depends on EAP Type. For example, if your RADIUS server requires EAP-TLS, then select "Smart Card or other Certificate" on your wireless adapter's Network Properties / Authentication panel. If your RADIUS server requires PEAP, then select "Protected EAP" for the adapter. If your RADIUS server requires EAP-TTLS, then you'll need a third-party wireless client like AEGIS or Odyssey.
    Make sure that EAP-specific properties match for your adapter and server, including server certificate Trusted Root Authority, server domain name (optional but must match when specified), and client authentication method (e.g., EAP-MSCHAPv2, EAP-GTC). When using PEAP, use the CHAP "Configure" panel to prevent Windows from automatically re-using your logon.

  • EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication

    Hi All,
    We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
    We have the leap as well as eap-tls in the authentication part.
    We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
    5/3/2011
    23:16:38
    Authen failed
    [email protected]
    EAP-TLS users
    0023.1413.de18
    (Default)
    EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
    21356
    10.121.198.38
    13
    EAP-TLS
    ap-1242b4 
      Bangalore APs
    We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
    Could anyone help me out in this?
    Regards
    Karthik

    Hi,
    Looks like the CA Cert is not installed on the ACS.
    The following link will help you install the CA cert.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
    Also trust the CA certificate in the Edit trust list list.
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • Authentication failed using EAP-TLS and CSSC against ACS

    Hi.
    Playing with a trial version of CSSC (Cisco secure services client) I had a problem that really I don´t understand.
    Any 802.1x configuration work fine but when I use anything involving the use of certificates (EAP-TLS or PEAP using a certificate instead a password to autenticate) I always see the same log message in ACS:
    "Authen session timed out: Challenge not provided by client" It seems that my client supplicant does not repond to the ACS when the first one proposed an EAP method.
    First I discart a certificate error because the same certificate works fine with Intel Proset Wireless supplicant and Windows Zero Configuration. EAP Fast works fine using auto provisioning or manual provisioning.
    Any idea? I red the CSSC administration guide but I did not find anything that explains this behaviour or defines the right configuration for this EAP method.
    I´m using Windows XP SP3, Intel Wireless 4965AGN and CSSC 5.1.1.18; My CA is a Windows CA.ACS version 4.2
    Thanks in advanced.
    Best regards.

    Today is not mmy day.
    It´s still failing and maybe I will open a TAC case.
    I´m looking at the log file of the CSSC and I don´t like what I have seen.
    2125: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=344][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP suggested by server: leap
    2126: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=2044][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP requested by client:  eapTls
    2127: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP methods sent : sync=8
    2128: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=8
    2129: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED
    2130: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_SERVER_VERIFY, sync=9
    2131: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
    2132: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=9
    2133: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Server verification sent : sync=9
    2134: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=9
    2135: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_USER_CERT, sync=10
    2136: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
    2137: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=10
    2138: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Impersonating user
    2139: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Loading client certificate private key...
    2140: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Calling acCertLoadPrivateKey()...
    2141: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: ...acCertLoadPrivateKey() returned
    2142: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 204, contact software manufacturer
    2143: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: acCertLoadPrivateKey() error -20 [c:\acebuild\bldrobot_cssc_5.1.1.21_view\monadnock\src\ace\certificate\certificateimpl.cpp:239]
    2144: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 4, contact software manufacturer
    2145: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: CssException for function 'acCertLoadPrivateKey' => -20{error} [certificateimpl.cpp:240]
    2146: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 7, contact software manufacturer
    2147: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Assertion 'CSS exception - should this be logged instead?' failed at [cssexception.cpp:114]
    2148: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Client certificate private key has not been loaded
    2149: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Deimpersonating user
    2150: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Client certificate 239f43fdcde8e190540fab2416253c5660c0d959 has been processed: ERR_INTERNAL_ERROR(7)
    2151: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Certificate 239f43fdcde8e190540fab2416253c5660c0d959 is unusable
    2152: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, no response sent : sync=10
    2153: portable-9b7161: oct 28 2010 20:34:30.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
    2154: portable-9b7161: oct 28 2010 20:34:32.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
    2155: portable-9b7161: oct 28 2010 20:34:34.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
    It seems that It found a valid certificate, starts the Authentication proccess and when it must request the ACS challenge it fails when loading the private key and crash the supplicant 
    Do you think the same??
    Thanks.
    Best Regards.

  • EAP-TLS

    I have been tasked to implement user certificate for mobile devices
    The certificate works on my laptop but keeps failing on the S3 device.
    has anyone successfully deployed this solution ?
    03/25/2014
    08:17:26
    Authen failed
    Theo-Android
    Default Group
    90-18-7c-66-0f-f6
    (Default)
    EAP-TLS or PEAP authentication failed during SSL handshake
    (Cisco Controller) >*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
    *apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    *apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Association received from mobile on AP 00:26:0a:ec:19:60
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying site-specific IPv6 override for station 38:aa:3c:d6:b0:cb - vapId 5, site 'default-group', interface 'secure_wifi-clients'
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying IPv6 Interface Policy for station 38:aa:3c:d6:b0:cb - vlan 50, interface id 8, interface 'secure_wifi-clients'
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb apfMs1xStateDec
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
    *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Sending Assoc Response to station on BSSID 00:26:0a:ec:19:60 (status 0) ApVapId 5 Slot 0
    *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
    *pemReceiveTask: Mar 25 06:55:15.289: 38:aa:3c:d6:b0:cb 0.0.0.0 Removed NPU entry.
    *dot1xMsgTask: Mar 25 06:55:15.290: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Connecting state
    *dot1xMsgTask: Mar 25 06:55:15.291: 38:aa:3c:d6:b0:cb Sending EAP-Request/Identity to mobile 38:aa:3c:d6:b0:cb (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received Identity Response (count=1) from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb EAP State update from Connecting to Authenticating for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticating state
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.299: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=11) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb WARNING: updated EAP-Identifier 1 ===> 11 for STA 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 11)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 11, EAP Type 3)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.308: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=12) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 12)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 12, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=13) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.337: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 13, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=14) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.342: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 14)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 14, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.355: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=15) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 15)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 15, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.409: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=16) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 16)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 16, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=17) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 17, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Processing Access-Accept for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Resetting web acl from 255 to 255
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Station 38:aa:3c:d6:b0:cb setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Creating a PKC PMKID Cache entry for station 38:aa:3c:d6:b0:cb (RSN 0)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Sending EAP-Success to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending default RC4 key to mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending Key-Mapping RC4 key to mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb apfMs1xStateInc
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.393: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
      ACL Id = 255, Jum
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 50, IPv6 intf id = 8
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
      ACL Id = 255, Jumbo
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 50, IPv6 intf id = 8
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Entering Backend Auth Success state (id=17) for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Received Auth Success while in Authenticating state for mobile 38:aa:3c:d6:b0:cb
    *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.451: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticated state
    *pemReceiveTask: Mar 25 06:55:15.456: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: Mar 25 06:55:15.459: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

    I presume by S3 you mean samsung galaxy S3?
    We've successfully implemented eap-tls on corporate ipads and iphones but have not managed to get samsung devices to work. There doesn't seem to be consitency with googles nexus devices either, some work and some don't.

  • ISE: advising users that only EAP-TLS can be used

    A large school board accepts only EAP-TLS connections.  This requirement is easily dissiminated to teachers, however not to students whose personal devices keep trying to connect using PEAP.   Once users connect with EAP-TLS, they are authenticated on AD.
    1. Could we from the Switch port block PEAP but let EAP-TLS go through? I couldn't find a command for this.
    2. If we can't stop PEAP requests from reaching ISE, could we treat the PEAP connections as CWA, but have a special Authorization Rule that would say if inner tunnel is PEAP then do CWA-nonEAP-TLS web authentication which would be a customized web page that would have a message instructing the students how to use EAP-TLS? would that make sense?
    3. Do you have better suggestion how to either block PEAP before it reaches ISE or a way using ISE to let users know that they must use EAP-TLS, not PEAP if they wish to connect?
    Thanks.
    Cath.

    Hi Tarik,
    Of course, I know about the Allowed Protocol which currently has only Host Lookup and EAP-TLS enabled.  But that technique, of not allowing PEAP in ISE Authentication policies, doesn't stop thousands of students devices from hitting ISE with PEAP traffic.  Students have heard that they are allowed to connect to the school network using dot1x, so they turn it on on their PC without regards of to which EAP flavour they are supposed to use.  Thus, the ISE box getitng hit with PEAP requests which it drops.  The school board would like to deal with that PEAP traffic. 
    To alliviate this problem, of the ISE box getting constantly PEAP traffic from the same device over and over again in the course of a day, I was wondering:
    1. can we stop PEAP traffic before it arrives to ISE?  is there a way for the switch to differentiate that it's a PEAP and not EAP-TLS and to drop it before passing it to ISE? I don't think so.
    2. if the switch can't stop PEAP , how is the best way to have ISE process the PEAP traffic?   because if ISE only reject the PEAP traffic, it is constantly hit back that the same device sending over and over PEAP traffic to ISE. 
    I suggested to the client the two following possible ways:
      a. authorization rule based on Network Access: Tunnel PEAP that provides CWA with customized webpage telling the students to use EAP-TLS and not PEAP (this technique is explained in para 2. of my original posting).
      b. create a blackhole VLAN where the students personal PC that are arriving with PEAP are put.  This VLAN doesn't go anywhere, but at least the PC has stopped hitting ISE with PEAP traffic for a few minutes, until the student decides to restart his/her connection.   
    I also recommended to the client that they have a better technique to inform the students that only EAP-TLS is available, like posters on the wall, blast email, on School FB page, etc .  but information dissimination is not an IT problem, it's a communication problem. 
    Looking forward to your suggestions.

  • EAP-TLS wi-fi net for PC and iPhone

    Hi, everyone! I'm rather confused and hoped that someone could help me to make the situation clear.
    We wan't to establish a wi-fi net with WPA-2 Enterprise and EAP-TLS for computers  and mobile devices (iPhones, Nokia Symbian, Android devices).
    The connection is organised in such way: client---AP 1240---ACS 4.2---AD(server 2003)
    I have 2 testing computers with wi-fi adapters: one is connected to the  domain (has a wire connection), another has a local account, and an  iPhone. I customized the settings on these computers,iphone, AP and ACS. 
    We have our own CA, 2-tier PKI infrastructure. I have installed the ACS and client's certificates on all the devices (by the way, they are 2048 bit size of).
    I manage to connect from a computer included in the domain but the second PC and iPhone refuse to connect,respectively:
    "EAP-TLS or PEAP authentication failed during SSL handshake".
    "EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake"
    Also I saw in logs that "Machine authentication is not permitted" so the domain PC authenticates through user account and is mapped to a special group.
    So I think the reason is that only domain  devices are allowed to join the net. How can I change this thing?
    Another variant is that I issue the certificates first to wired domain computers and then export  them to non-connected to domain devices so they have inappropriate credentials.
    Please, if you have any thoughts about the reason of the problem, share them. I would appreciate any help.

    The ATV is strictly a wifi client, it doesn't function as a router or access point. You can connect it to your router either by wifi or Ethernet cable. Your pc doesn't need a wifi card to work with an ATV as long as they're both on the same network.

  • EAP-TLS FAILING ON WIRELSS IPPHONE CP-7925G

    Hi all,
    we had enabled the eap-tls authentication on our WIFI network. We are using Cisco ACS 1113 & Microsoft Certificate Server for this setup. Currently we are able to successfully authenticat EAP-TLS on computer, but the Phones are not registering the network.
    On the ACS we are getting the following error.
    "EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake".
    Thanks
    Nibin       

    Dear all
    Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
    Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
    AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
    AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
    AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
    AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
    AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
    AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
    AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
    AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
    AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
    AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
    Thanks
    Nibin Rodrigues

Maybe you are looking for

  • Flash Builder will not debug app with .ane on Android Device

    Hello , I'm having a big issue with the overall stability of Flash Builder 4.7 on my Mac (OS X 10.7.5) I developped an extension on FB 4.6 for iOS and Android and it was  working good. In the meantime I updated to 4.7, and since then I keep on runnin

  • Latest Desktop update no help with Contacts synch problem!

    I had hoped that the latest update would solve the greyed out Contacts synch option. No such luck! I have not been able to synch contacts for the past 3 months.   And you wonder why Blackberry stock continues to fall?  This will probably be my last B

  • Random Intenet Drops for a Few Seconds

    Hi all, my first post on here.  I was hoping to get this issue fixed with a tech visit, but of course, that didn't happen. I started my 105 mbps internet service about a month ago.  I am using the Technicolor Xfinity modem that is currently being ren

  • How to trace sevice names used in oracle names server

    We are in process of cleaning up our oracle names server (9.2.0.6). In process, we found several fault entries (service names) which we are not sure of.. ( as it is a large nework) but we need to fix them. For ex. abc. world may be pointing to a db s

  • WebLogic Crash! SIGBUS Error.

              Hi,           I just wanted to share a problem that we faced when we hosted our           application on Weblogic. About ten users were logged onto the Unix           Box(RAM 1 GB, CPU 1 400 MHZ,HD 70 GB).           Suddenly the AppServer(w