EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

Similar Messages

• EAP TLS authentication failed during SSL handshake

  We see this message, trying to set up EAP TLS. Anyone come across this ?

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• Eap tls authentication fails if bluetooth device connected

  Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
  Has anyone come across this elsewhere?
  Thanks

  I have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.

• EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.

  We have: ap Cisco AiroNet350 with WPA-EAP, Freeradius with configured EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2.
  This problem discribed at http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
  Maybe to solve this problem we need a fix ( http://support.microsoft.com/kb/885453/en-us ), but microsoft support tells to contact with notebook manufacturer.
  Can anybody help me with this problem?

  Hmmm Im not expert on this field but it seems that the MS OS update is need. (I hope)
  The preinstalled Windows OS is a simply OEM version and usually every updates should be possible. However, if the MS guys told you to contact the notebook manufacture so you can contact the Toshiba authorized service provider in your country for more details.
  But I have investigated a little bit in the net and found this useful site:
  http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci945257,00.html
  1. 802.1X depends on communication between your wireless router and a RADIUS authentication server. Whether you're using WPA2, WPA, or WEP with dynamic keys, the following 802.1X debugging hints can be helpful:
  a. Re-enter the same RADIUS secret into your wireless router and RADIUS server.
  b. Configure your RADIUS server to accept RADIUS request from your router's IP address.
  c. Use ping to verify router-to-server reachability.
  d. Watch LAN packet counts to verify that RADIUS requests and responses are flowing.
  e. Use an Ethernet analyzer like Ethereal to watch RADIUS success/failure messages.
  f. For XP SP2, turn on Wzctrace.log by entering "netsh ras set tracing * enabled"
  2. If RADIUS is flowing but access requests are being rejected, you may have an 802.1X Extensible Authentication Protocol (EAP) mismatch or credential problem. Fixing this depends on EAP Type. For example, if your RADIUS server requires EAP-TLS, then select "Smart Card or other Certificate" on your wireless adapter's Network Properties / Authentication panel. If your RADIUS server requires PEAP, then select "Protected EAP" for the adapter. If your RADIUS server requires EAP-TTLS, then you'll need a third-party wireless client like AEGIS or Odyssey.
  Make sure that EAP-specific properties match for your adapter and server, including server certificate Trusted Root Authority, server domain name (optional but must match when specified), and client authentication method (e.g., EAP-MSCHAPv2, EAP-GTC). When using PEAP, use the CHAP "Configure" panel to prevent Windows from automatically re-using your logon.

• EAP-TLS authentication failed

  I have recently purchased the E71 and am trying to connect to my WLan at work. It uses 802.1x authentication and I have now installed the correct security certificate. It seems that no matter what EAP plugin I use, TLS TTLS PEAP FAST etc I get an authentication error. There are a whole lot of settings that I don't understand. Can anyone walk me through the setup who has been there before.
  Much appreciated
  ian S
  Christchurch, NZ

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP-TLS error message on ACS server

  Receving this message when client attempts authentication....Any idea or pointers on troubleshooting this?
  "EAP-TLS authentication failed during handshake"

  turn on debugging at the AccessPoint (:eap_diag1_on at 350-Series) or at the ACS (csradius -d -p -z) to get more information
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00800afec1.shtml
  Verify Certificates and CA at the client and the ACS
  http://www.cisco.com/en/US/products/hw/wireless/ps458/products_white_paper09186a008009256b.shtml

• EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

  Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
  Does anyone have any ideas how to troubleshoot this problem with the appliance?

  If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• EAP-TLS

  I have been tasked to implement user certificate for mobile devices
  The certificate works on my laptop but keeps failing on the S3 device.
  has anyone successfully deployed this solution ?
  03/25/2014
  08:17:26
  Authen failed
  Theo-Android
  Default Group
  90-18-7c-66-0f-f6
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  (Cisco Controller) >*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
  *apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Association received from mobile on AP 00:26:0a:ec:19:60
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying site-specific IPv6 override for station 38:aa:3c:d6:b0:cb - vapId 5, site 'default-group', interface 'secure_wifi-clients'
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying IPv6 Interface Policy for station 38:aa:3c:d6:b0:cb - vlan 50, interface id 8, interface 'secure_wifi-clients'
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb apfMs1xStateDec
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
  *apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Stopping deletion of Mobile Station: (callerId: 48)
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Sending Assoc Response to station on BSSID 00:26:0a:ec:19:60 (status 0) ApVapId 5 Slot 0
  *apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
  *pemReceiveTask: Mar 25 06:55:15.289: 38:aa:3c:d6:b0:cb 0.0.0.0 Removed NPU entry.
  *dot1xMsgTask: Mar 25 06:55:15.290: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Connecting state
  *dot1xMsgTask: Mar 25 06:55:15.291: 38:aa:3c:d6:b0:cb Sending EAP-Request/Identity to mobile 38:aa:3c:d6:b0:cb (EAP Id 1)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received Identity Response (count=1) from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb EAP State update from Connecting to Authenticating for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticating state
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.299: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=11) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb WARNING: updated EAP-Identifier 1 ===> 11 for STA 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 11)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 11, EAP Type 3)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.308: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=12) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 12)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 12, EAP Type 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=13) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.337: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 13, EAP Type 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=14) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.342: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 14)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 14, EAP Type 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.355: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=15) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 15)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 15, EAP Type 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.409: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=16) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 16)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 16, EAP Type 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=17) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 17, EAP Type 13)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Processing Access-Accept for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Resetting web acl from 255 to 255
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Setting re-auth timeout to 1800 seconds, got from WLAN config.
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Station 38:aa:3c:d6:b0:cb setting dot1x reauth timeout = 1800
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Creating a PKC PMKID Cache entry for station 38:aa:3c:d6:b0:cb (RSN 0)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Sending EAP-Success to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending default RC4 key to mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending Key-Mapping RC4 key to mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb apfMs1xStateInc
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.393: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
    ACL Id = 255, Jum
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 50, IPv6 intf id = 8
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
    ACL Id = 255, Jumbo
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006  IPv6 Vlan = 50, IPv6 intf id = 8
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Entering Backend Auth Success state (id=17) for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Received Auth Success while in Authenticating state for mobile 38:aa:3c:d6:b0:cb
  *Dot1x_NW_MsgTask_0: Mar 25 06:55:15.451: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticated state
  *pemReceiveTask: Mar 25 06:55:15.456: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
  *pemReceiveTask: Mar 25 06:55:15.459: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

  I presume by S3 you mean samsung galaxy S3?
  We've successfully implemented eap-tls on corporate ipads and iphones but have not managed to get samsung devices to work. There doesn't seem to be consitency with googles nexus devices either, some work and some don't.

• EAP-TLS wi-fi net for PC and iPhone

  Hi, everyone! I'm rather confused and hoped that someone could help me to make the situation clear.
  We wan't to establish a wi-fi net with WPA-2 Enterprise and EAP-TLS for computers  and mobile devices (iPhones, Nokia Symbian, Android devices).
  The connection is organised in such way: client---AP 1240---ACS 4.2---AD(server 2003)
  I have 2 testing computers with wi-fi adapters: one is connected to the  domain (has a wire connection), another has a local account, and an  iPhone. I customized the settings on these computers,iphone, AP and ACS. 
  We have our own CA, 2-tier PKI infrastructure. I have installed the ACS and client's certificates on all the devices (by the way, they are 2048 bit size of).
  I manage to connect from a computer included in the domain but the second PC and iPhone refuse to connect,respectively:
  "EAP-TLS or PEAP authentication failed during SSL handshake".
  "EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake"
  Also I saw in logs that "Machine authentication is not permitted" so the domain PC authenticates through user account and is mapped to a special group.
  So I think the reason is that only domain  devices are allowed to join the net. How can I change this thing?
  Another variant is that I issue the certificates first to wired domain computers and then export  them to non-connected to domain devices so they have inappropriate credentials.
  Please, if you have any thoughts about the reason of the problem, share them. I would appreciate any help.

  The ATV is strictly a wifi client, it doesn't function as a router or access point. You can connect it to your router either by wifi or Ethernet cable. Your pc doesn't need a wifi card to work with an ATV as long as they're both on the same network.

• EAP-TLS Certificate Key Size

  Hi,
  I'm in the process of setting up EAP-TLS authentication in my network. I have installed 2048 bit certificates on my ACS server and Client. When attempting to authenticate I receive the following message in ACS: EAP-TLS or PEAP authentication failed during SSL handshake.   
  Is anyone using 2048 bit certs or know if they work? Any suggestions what else might be causing the authentication failure?
  Thanks,              

  2048 bit is the standard these days. I have used 2048 bit with both PEAP and EAP-TLS with no issues. The error might be the shared secret between ACS and the WLC.
  Sent from Cisco Technical Support iPhone App

• EAP-TLS auth between 2 1310 bridges

  Hello,
  Am working on getting EAP-TLS auth working between a root and non-root 1310 bridge. I've had success getting LEAP working but EAP-TLS is kicking my butt.
  I have an ACS 4.1 server acting as the Radius server and the auth is failing there with the code "EAP-TLS or PEAP authentication failed during SSL handshake". I think I'm missing something related to the certs but don't know where.
  I can post config snippets if that will help but if someone knows of any examples configuring a 1310 or similar bridge with EAP-TLS that would be fantastic.
  TIA,
  BR

  Hi Bastien,
  it is actually what i did.
  The point here i have 2 CA involved, with no relation between them.
  So I did the operation twice for each CA :
  -> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
  -> I have added the root CA of each CA into the ACS as well.
  The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
  So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
  I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
  Then another conf I do not understand is the option:
  EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
  I do not undestand what does this option stand for ?
  Then I culd see into Cisco do :
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
  Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
  Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
  thx

• Meaning of EAP-TLS errors in ACS

  Hi Guys,
  I'm trying to get a device authenticated to my wireless network using certificates. I get the generic error in ACS (4.2.0.124):
  EAP-TLS or PEAP authentication failed during SSL handshake
  Looking in the Auth log I get:
  AUTH 12/09/2013 15:56:40 E 2255 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL send alert fatal:handshake failure
  AUTH 12/09/2013 15:56:40 E 2258 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL ext error reason: c7 (Ext error code = 0)
  AUTH 12/09/2013 15:56:40 E 2297 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2120
  AUTH 12/09/2013 15:56:42 E 3159 297052 0x0 AuthenReaper thread : Session Timed out since challenge not provided, freeing it
  Can anyone help me with the reason codes or point me in the right direction?
  Thanks,
  John.

  Hi John,
  This is mostly due to improper certificate installed on either the server or on the client machine.
  Considering the issue with only one client I guess the server is clean.
  Can you verify if proper root certificate, intermediate certificate and the id certificates are installed on client?
  You can also regenerate a new machine ID cert for the client and give a try.
  Thanks.