EAP-TLS PMK Generation

Similar Messages

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Implementing EAP-TLS in the enterprise

  Hi all,
  I'm currently performing a review of our global corporate wireless network with a view to implementing user and device authentication. We currently use PEAP-Ms Chapv2 and i'm considering the move to EAP-TLS, however I understand this has its pitfalls in terms of added administrative overheads, particularly around manging user certs.
  Does anyone have any experiencing in rolling EAP-TLS that can provide me with some advice about what to look out for? We have a full PKI and I understand auto enrolment of user certs can be done using group policy and AD but has anyone seen any other issues I should be wary of?
  We have a full Cisco autonomous unified wireless network with Cisco ACS servers for our Radius, tied into AD.
  Appreciate any comments, advice or even direction to other resources where I can find some valuble info.
  cheers.
  Rob

  Rob,
  Since you are already using PEAP, moving to EAP-TLS is not that bad.  Again.... you already have a PKI infrastructure and domain computers should have a certificate already.  So with GPO, you just make a change to the wireless profile to change from PEAP to EAP-TLS.  Peolpe do look at it as more management.... well it sort of is, but if you have staff that is experience in setting up the PKI, GPO, etc, it really isn't that bad.  Client device support is what you will need to look at.  If you have devices like iPads, non domain computers that need to be on the network, then maybe you will need to add EAP-TLS and keep PEAP for those other devices.

• Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

  Hi there,
  I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
  I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
  1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
  2. Configure a Service Principal Name (SPN) for the new computer object.
  3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
  4. Export the certificate created for the non-domain joined machine and install it.
  5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
  The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
  Regards,
  Jeffrey

  Use VPP.  Select an MDM.  Read the google doc below.
  IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
  View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
  http://www.apple.com/education/resources/information-technology.html
     business site is:
     http://www.apple.com/lae/ipad/business/resources/
  Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
  https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
  good tips for initial deployment:
  https://discussions.apple.com/message/18942350#18942350
  https://discussions.apple.com/thread/3804209?tstart=0

• ISE 1.2 EAP-TLS handshake to external RADIUS

  Hi everyone!
  I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2  and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
  Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
  If: Wireless_802.1X          Allow Protocols: Default Network Access          Use: RADIUS
  Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
  Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
  Any help is appreciated, thanks in advance!

• ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

  Hi I have a customer that we've deployed ISE 1.2 and WLC 5508s at.  Customer is using EAP-TLS with and everything appears to setup properly.  Users are able to login to the network and authenticate, however, frequently, I'm getting the following error in ISE authentication logs:
  12516 EAP-TLS failed SSL/TLS handshake because of an expired certificate in the client certificates chain
  OpenSSL messages are:
  SSL alert: code=Ox22D=557 : source=local ; type=fatal : message="X509
  certificate ex pi red"'
  4 727850450.3616:error.140890B2: SS L
  rOYbne s: SSL 3_  G ET _CL IE NT  _CE RT IF ICAT E:no ce rtific ate
  relurned: s3_ srvr.c: 272 0
  I'm not sure if this is cosmetic or if this is something that I should be tracking down.  System isn't in full production yet, but every client seems to be working and there is no expired cert in the chain.  Any ideas what to check?

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• ISE 1.2 EAP-TLS and AD authentication

  Hi,
  I am sure I have had this working but Just cant get it to now.
  So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
  My Authentication profile says
  IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
  Then my authorization profile says
  if active directoy group = "Domian computers" then allow access.
  When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
  24433          Looking up machine in Active Directory - [email protected]
  24492          Machine authentication against Active Directory has failed
  22059          The advanced option that is configured for process failure is used
  22062          The 'Drop' advanced option is configured in case of a failed authentication request
  But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
  Cheers

  This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
  This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

• EAP-TLS with ISE 1.1.2 and WLC 7.0.228

  Hi,
  I'm on process of implement Cisco ISE with Wireless LAN Controller. According to my post, I would like to know that if Supplicant Provisioning and EAP-TLS does support on this type of firmware code.
  WLC running on 7.0.228 since most of production APs are 1230
  ISE running on the latest version.
  I have to use EAP-TLS and Supplicant Provisioning on these platforms.
  Is this possible to do about this ?
  Thanks,
  Pongsatorn Maneesud

  Please check the below compatibility matrix  link for Cisco ISE along with a link for client provisioning which might  be helpful:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_client_prov.html

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

  Hello,
  Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
  Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
  Did anyone have similar problems with Windows 8/81?
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
  0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
  *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
  Any hint would be great .... Thank you...

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Trying to implement EAP/TLS using java (as part of RADIUS server)

  Hi
  This is a cross port since I didn't know which forum to post in!
  I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
            KeyStore ksKeys = KeyStore.getInstance("JKS");
              ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
              KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              kmf.init(ksKeys, passphrase);
              KeyStore ksTrust = KeyStore.getInstance("JKS");
              ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
              TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
              tmf.init(ksKeys);
              sslContext = SSLContext.getInstance("TLS");
              sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
              sslEngine = sslContext.createSSLEngine();
              sslEngine.setUseClientMode(false);
              sslEngine.setNeedClientAuth(true);
              sslEngine.setWantClientAuth(true);
              sslEngine.setEnableSessionCreation(true);
              appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
              appBuffer.clear();
              netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
              netBuffer.clear();All I want to do with TLS is a handshake.
  I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
         SSLEngineResult result = null;
          SSLEngineResult.HandshakeStatus hsStatus = null;
          if( internalState != EAPTLSState.Handshaking ) {
              if( internalState == EAPTLSState.None ) {
                  TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                  peerIdentity = tlsPacket.getData();
                  internalState = EAPTLSState.Starting;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
                  return;
              else if(internalState == EAPTLSState.Starting ) {
                  internalState = EAPTLSState.Handshaking;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
          TLSPacket tlsPacket = new TLSPacket( packet.getData() );
          netBuffer.put( tlsPacket.getData() );
          netBuffer.flip();
          while(true) {
              hsStatus = sslEngine.getHandshakeStatus();
              if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                  Runnable task;
                  while((task=sslEngine.getDelegatedTask()) != null) {
                      new Thread(task).start();
              else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                  try {
                      result = sslEngine.unwrap( netBuffer, appBuffer );
                  } catch (SSLException e) {
                      e.printStackTrace();
              else {
                  return;
          }When I try to send data I use the following code:
             SSLEngineResult.HandshakeStatus hsStatus = null;
              SSLEngineResult result = null;
  //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
              netBuffer.clear();
              while(true) {
                  hsStatus = sslEngine.getHandshakeStatus();
                  if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                      Runnable task;
                      while((task=sslEngine.getDelegatedTask()) != null) {
                          new Thread(task).start();
                  else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                      try {
                          result = sslEngine.wrap( dummyBuffer, netBuffer );
                      } catch (SSLException e) {
                          e.printStackTrace();
                  else {
                      if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                          int size = Math.min(result.bytesProduced(),this.MTU);
                          byte [] tlsData = new byte[size];
                          netBuffer.flip();
                          netBuffer.get(tlsData,0,size);
                          TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                          if( size < result.bytesProduced() ) {
                              tlsPacket.setFlag(TLSFlag.MoreFragments);
                          return new EAPTLSRequestPacket( ID,
                                  (short)(tlsPacket.getData().length + 6),
                                  stateMachine.getCurrentMethod(), tlsPacket );
                      else {
                          return null;
                  }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
  Any help wold be most greatfull, if any questions or anything unclear plz let me know.
  add some additional information here is a debug output
  Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
  [Raw read]: length = 5
  0000: 16 03 01 00 41 ....A
  [Raw read]: length = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-2, READ: TLSv1 Handshake, length = 65
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
  1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
  50, 201 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
  _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
  PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
  S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
  Compression Methods: { 0 }
  [read] MD5 and SHA1 hashes: len = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-5, fatal error: 40: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
  Thread-5, WRITE: TLSv1 Alert, length = 2
  Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
  ception: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
  92)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
  mpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
  pl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
  26)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
  va:153)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
  eMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
  ava:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
  352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
  rHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
  haker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
  ndshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
  95)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
  java:930)
  ... 1 more

  I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?