Implementing EAP-TLS in the enterprise
Hi all,
I'm currently performing a review of our global corporate wireless network with a view to implementing user and device authentication. We currently use PEAP-Ms Chapv2 and i'm considering the move to EAP-TLS, however I understand this has its pitfalls in terms of added administrative overheads, particularly around manging user certs.
Does anyone have any experiencing in rolling EAP-TLS that can provide me with some advice about what to look out for? We have a full PKI and I understand auto enrolment of user certs can be done using group policy and AD but has anyone seen any other issues I should be wary of?
We have a full Cisco autonomous unified wireless network with Cisco ACS servers for our Radius, tied into AD.
Appreciate any comments, advice or even direction to other resources where I can find some valuble info.
cheers.
Rob
Rob,
Since you are already using PEAP, moving to EAP-TLS is not that bad. Again.... you already have a PKI infrastructure and domain computers should have a certificate already. So with GPO, you just make a change to the wireless profile to change from PEAP to EAP-TLS. Peolpe do look at it as more management.... well it sort of is, but if you have staff that is experience in setting up the PKI, GPO, etc, it really isn't that bad. Client device support is what you will need to look at. If you have devices like iPads, non domain computers that need to be on the network, then maybe you will need to add EAP-TLS and keep PEAP for those other devices.
Similar Messages
-
Trying to implement EAP/TLS using java (as part of RADIUS server)
Hi
This is a cross port since I didn't know which forum to post in!
I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
KeyStore ksKeys = KeyStore.getInstance("JKS");
ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ksKeys, passphrase);
KeyStore ksTrust = KeyStore.getInstance("JKS");
ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ksKeys);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(false);
sslEngine.setNeedClientAuth(true);
sslEngine.setWantClientAuth(true);
sslEngine.setEnableSessionCreation(true);
appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
appBuffer.clear();
netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
netBuffer.clear();All I want to do with TLS is a handshake.
I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
SSLEngineResult result = null;
SSLEngineResult.HandshakeStatus hsStatus = null;
if( internalState != EAPTLSState.Handshaking ) {
if( internalState == EAPTLSState.None ) {
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
peerIdentity = tlsPacket.getData();
internalState = EAPTLSState.Starting;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
return;
else if(internalState == EAPTLSState.Starting ) {
internalState = EAPTLSState.Handshaking;
try {
sslEngine.beginHandshake();
} catch (SSLException e) {
e.printStackTrace();
TLSPacket tlsPacket = new TLSPacket( packet.getData() );
netBuffer.put( tlsPacket.getData() );
netBuffer.flip();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
try {
result = sslEngine.unwrap( netBuffer, appBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
return;
}When I try to send data I use the following code:
SSLEngineResult.HandshakeStatus hsStatus = null;
SSLEngineResult result = null;
// netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
netBuffer.clear();
while(true) {
hsStatus = sslEngine.getHandshakeStatus();
if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
Runnable task;
while((task=sslEngine.getDelegatedTask()) != null) {
new Thread(task).start();
else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
try {
result = sslEngine.wrap( dummyBuffer, netBuffer );
} catch (SSLException e) {
e.printStackTrace();
else {
if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
int size = Math.min(result.bytesProduced(),this.MTU);
byte [] tlsData = new byte[size];
netBuffer.flip();
netBuffer.get(tlsData,0,size);
TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
if( size < result.bytesProduced() ) {
tlsPacket.setFlag(TLSFlag.MoreFragments);
return new EAPTLSRequestPacket( ID,
(short)(tlsPacket.getData().length + 6),
stateMachine.getCurrentMethod(), tlsPacket );
else {
return null;
}After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
Any help wold be most greatfull, if any questions or anything unclear plz let me know.
add some additional information here is a debug output
Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
[Raw read]: length = 5
0000: 16 03 01 00 41 ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-2, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
50, 201 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods: { 0 }
[read] MD5 and SHA1 hashes: len = 65
0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
0040: 00 .
Thread-5, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
Thread-5, WRITE: TLSv1 Alert, length = 2
Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
ception: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
92)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
mpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
pl.java:1054)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
26)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
va:153)
at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
eMachine.java:358)
at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
ava:262)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
352)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
rHandshaker.java:638)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
haker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
ndshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
95)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
java:930)
... 1 moreI am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?
-
Hello,
The challenge is to take the existing wireless infrastructure using PSK and upgrade to EAP-TLS. I have had the opportunity to configure using the AD world with CA servers, Wireless Group Policies etc prior to this. But could use some insight in getting this
This is a controller based environment.
Clients MAC OS vary from the most recent to maybe 4 versions back
ACS aapliance and an LDAP server.
Active Directory - box with rules. Easier distribution, policies, set a rule apply to many
MAC - autonomous
Any assistance would be most helpful, any articles, discussions etc that could shed some light on this.
Thanks,
ErikAre you able to push group policies using AD to your Mac clients? Or is that where the trouble is?
-
WLAN Security - EAP-TLS EAP-Identity exposed in the clear
Hi Guys,
As a well known point on eap-tls, is the eap-identity message from (lets say) a workstantion is exposed in the clear and any packet capture can pick this up.
How does this affect organisations deploying eap-tls and are there any recommend mitigation techniques to use?
If you are using eap-tls, and active directory, this machine name could be in the CN, SAN comparison from the Cisco ACS to AD DC so could be a problem? Not sure?
But the underlying certificate exchange is the real security method here correct? So should I not worry about this?
Many thx and kind regards,
kenHi Fella, Excellent response.
So, Couple of points here :
We use EAP-TLS and WPA2/AES
EAP-TLS = Authentication Layer only
WPA2/AES = Encrpytion Layer only
Is that correct?
Also, if correct
EAP-TLS Authentication Only
What does this authenticate in the certificate, and how?
All I know is that it is working and the client cert and ACS server cert are authenticating each other, and we have the ACS consulting the active directory DC with a CN, SAN or binary comparison
So the way I see it, there are two layers of authentication here
1st Layer
Laptop <---> ACS certificate verification/authentication (the two certs have some field in them that say they are linked) and are happy to proceed?
2nd Layer
The ACS-AD comparison, so if this field in the cert appears in an AD GPO, it allows access, if not, no eap-sucess messge is sent?
Can you clarify this as you have done a good job in explaing thus far?
Many thx indeed,
Ken -
Eap-tls configuration assistance
I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
Scenario
MS CA (Windows 2008 Server)
MS DC (Windows 2003 Server)
ACS 4.2 (Windows 2003 Server)
WLC 4402 (5.2)
LWAP AIR-LAP1142N-N-K9
Client MS XP SP3
I have confirmed that the certficates are valid on both the ACS and client.
The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
I have configured ACS for Unkown User Policy and have the client e26458 in AD.
I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
debug dot1x events enable,debug dot1x states enable on the WLC.
frustratingly yoursI am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
1. Both your client and server certificates should be from same authority
2. You should have the same username in which the certificate issued should be in your ACS database.
3. Conform the validity of both your CA and device certificate
Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations -
EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s
We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
FabianThe policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU. -
I have been tasked to implement user certificate for mobile devices
The certificate works on my laptop but keeps failing on the S3 device.
has anyone successfully deployed this solution ?
03/25/2014
08:17:26
Authen failed
Theo-Android
Default Group
90-18-7c-66-0f-f6
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
(Cisco Controller) >*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Association received from mobile on AP 00:26:0a:ec:19:60
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying site-specific IPv6 override for station 38:aa:3c:d6:b0:cb - vapId 5, site 'default-group', interface 'secure_wifi-clients'
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying IPv6 Interface Policy for station 38:aa:3c:d6:b0:cb - vlan 50, interface id 8, interface 'secure_wifi-clients'
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb apfMs1xStateDec
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Sending Assoc Response to station on BSSID 00:26:0a:ec:19:60 (status 0) ApVapId 5 Slot 0
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
*pemReceiveTask: Mar 25 06:55:15.289: 38:aa:3c:d6:b0:cb 0.0.0.0 Removed NPU entry.
*dot1xMsgTask: Mar 25 06:55:15.290: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Connecting state
*dot1xMsgTask: Mar 25 06:55:15.291: 38:aa:3c:d6:b0:cb Sending EAP-Request/Identity to mobile 38:aa:3c:d6:b0:cb (EAP Id 1)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received Identity Response (count=1) from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb EAP State update from Connecting to Authenticating for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticating state
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.299: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=11) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb WARNING: updated EAP-Identifier 1 ===> 11 for STA 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 11)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 11, EAP Type 3)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.308: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=12) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 12)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 12, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=13) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.337: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 13, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=14) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.342: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 14)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 14, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.355: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=15) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 15)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 15, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.409: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=16) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 16)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 16, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=17) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 17, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Processing Access-Accept for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Resetting web acl from 255 to 255
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Station 38:aa:3c:d6:b0:cb setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Creating a PKC PMKID Cache entry for station 38:aa:3c:d6:b0:cb (RSN 0)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Sending EAP-Success to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending default RC4 key to mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending Key-Mapping RC4 key to mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.393: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jum
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 50, IPv6 intf id = 8
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jumbo
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 50, IPv6 intf id = 8
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Entering Backend Auth Success state (id=17) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Received Auth Success while in Authenticating state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.451: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticated state
*pemReceiveTask: Mar 25 06:55:15.456: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Mar 25 06:55:15.459: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0I presume by S3 you mean samsung galaxy S3?
We've successfully implemented eap-tls on corporate ipads and iphones but have not managed to get samsung devices to work. There doesn't seem to be consitency with googles nexus devices either, some work and some don't. -
Hi
We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request
I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
EAP-TLS is enabled in the 'Default Network Access' authentication result.
Can anyone shine a light on where I'm going wrong?
Thanks
MartinMartin,
Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
http://support.microsoft.com/kb/814394
Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
Here is the Cisco eap-tls deployment guide which references the same as above:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
Thanks,
Tarik Admani
*Please rate helpful posts* -
EAP-TLS - 802.1x - Certificate renewal
Hello
I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.
Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.
By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.
Could somebody give me a hint if there are other Cisco solutions for this issue.
I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
What I don't get is the following:
Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP). -
Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?
Hi
I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
Now.. this is the tricky part...
A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
Can any expert please let me know if they think that this will be possible please??
Many thanksYes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
Thanks and I hope this helps!
Tarik Admani -
IBNS with two groups of XP Machines, one PEAP-MSCHAPv2 & one EAP-TLS
Hello,
I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
Thanks in advance for your help.Hello,
I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
Thanks in advance for your help. -
If I have a laptop running eap-tls in the following way
laptop ---- ap -----wlc ------cisco acs (radius)
lets say the laptop starts eap-tls when it boots up and exchanges certificates with the acs
If i have no encrytion set on the WLAN, would the whole tls and certificate exchange be readable by a wireless network sniffer?
I really get confused between eap-tls and lets say a web ssl (tls) session
eap-tls is pure authentication, no encrytion?
where when you start an ssl session, lets say with amazon.co.uk, all data within the ssl (tls) session is encrypted
Is anything encrypted when using eap-tls if you use an open network?
Many thx indeed,
KenAlso, just reading the rfc is states "MAY"
It states that you use eap-tls within eap-tls?
2.1.4. Privacy
EAP-TLS peer and server implementations MAY support privacy.
Disclosure of the username is avoided by utilizing a privacy Network
Access Identifier (NAI) [RFC 4282] in the EAP-Response/Identity, and
transmitting the peer certificate within a TLS session providing
confidentiality.
Any comments and clarification on this would be great. I just have the ssl web scenario stuck in my brain and cant adapt it (if appropriate) to eap-tls?
Thx guys,
Ken -
Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
but dont know if this is true or not either. I would like to know if I am locking myself into never having an external radius server If i go down the local eap-tls path.
Thanks,
BrianThanks Nicolas, sad but true, I failed to find any possibilites at WLC.
It seems I need to configure external RADIUS and use local EAP only in case of WAN failure. -
Issue with iphone configuration utility: eap-tls certificate selection
hello,
I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
here's my issue:
I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
i am wondering if anyone has similar issue and how to fix this.
thanks,
-nsthe configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back. -
EAP-TLS authentication failure
We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711: Callback.....................................0x87e1870
*Jan 07 19:31:42.712: protocolType.................................0x00140001
*Jan 07 19:31:42.712: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712: Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788: structureSize................................145
*Jan 07 19:31:42.788: resultCode...................................255
*Jan 07 19:31:42.788: protocolUsed.................................0x00000001
*Jan 07 19:31:42.788: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788: Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806: Callback.....................................0x87e1870
*Jan 07 19:31:42.806: protocolType.................................0x00140001
*Jan 07 19:31:42.807: proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807: Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00 ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No. Time Source Destination Protocol Info
1 0.000000 10.10.10.10 15.15.15.15 RADIUS Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 308
Identification: 0x501f (20511)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4aee [correct]
Source: 10.10.10.10 (10.10.10.10)
Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
Source port: filenet-rpc (32769)
Destination port: radius (1812)
Length: 288
Checksum: 0xe8e0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x7d (125)
Length: 280
Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
Attribute Value Pairs
AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
AVP: l=6 t=NAS-Port(5): 2
AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=6 t=Framed-MTU(12): 1300
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=89 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 87
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0x80): Length
Length: 77
Secure Socket Layer
AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No. Time Source Destination Protocol Info
2 0.060373 15.15.15.15 10.10.10.10 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x2935 (10549)
Flags: 0x01 (More Fragments)
Fragment offset: 0
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x58e0 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1 .u..V)..
No. Time Source Destination Protocol Info
3 0.060671 15.15.15.15 10.10.10.10 RADIUS Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1381
Identification: 0x2935 (10549)
Flags: 0x00
Fragment offset: 24
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x73a4 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
[IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
Source port: radius (1812)
Destination port: filenet-rpc (32769)
Length: 1385
Checksum: 0xe8f5 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x7d (125)
Length: 1377
Authenticator: 6c8300aed07505c35629a7b14de483be
Attribute Value Pairs
AVP: l=6 t=Session-Timeout(27): 30
Session-Timeout: 30
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[5]
EAP fragment
AVP: l=33 t=EAP-Message(79) Last Segment[6]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1296
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0xC0): Length More
Length: 8184
Secure Socket Layer
[Malformed Packet: SSL]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
Destination MAC: 1C:DF:0F:55:20:xx
Source MAC: F8:66:F2:62:63:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x0135 (309)
ID: 0x2B26 (11046)
Flags
Don't fragment bit: 1 - Don't fragment
More fragments bit: 0 - Last fragment
Fragment offset: 0x0000 (0)
Time to live: 0x40 (64)
Protocol: 0x11 (17) - UDP
Checksum: 0x6FE6 (28646) - correct
Source IP: 161.86.66.49
Destination IP: 15.15.15.15
IP Options: None
UDP
Source port: 32769
Destination port: 1812
Length: 0x0121 (289)
Checksum: 0x5824 (22564) - correct
Radius
Code: 0x01 (1) - Access-Request
Identifier: 0x8D (141)
Packet Length: 0x0119 (281)
Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
Attributes
Attribute
Type: 0x01 (1) - User-Name
Length: 0x1A (26)
Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
Attribute
Type: 0x1F (31) - Calling-Station-Id
Length: 0x11 (17)
Calling id: 58-94-6b-15-5f-xx
Attribute
Type: 0x1E (30) - Called-Station-Id
Length: 0x19 (25)
Called id: f0-25-72-70-65-c0:WLAN-XX
Attribute
Type: 0x05 (5) - NAS-Port
Length: 0x04 (4)
Port: 0x00000002 (2)
Attribute
Type: 0x04 (4) - NAS-IP-Address
Length: 0x04 (4)
Address: 10.10.10.10
Attribute
Type: 0x20 (32) - NAS-Identifier
Length: 0x0B (11)
NAS identifier: XX-002_WLAN
Attribute
Type: 0x1A (26) - Vendor-Specific
Length: 0x0A (10)
Vendor id: 0x00003763 (14179)
Vendor specific:
Attribute
Type: 0x06 (6) - Service-Type
Length: 0x04 (4)
Service type: 0x00000002 (2) - Framed
Attribute
Type: 0x0C (12) - Framed-MTU
Length: 0x04 (4)
Framed MTU: 0x00000514 (1300)
Attribute
Type: 0x3D (61) - NAS-Port-Type
Length: 0x04 (4)
NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
Attribute
Type: 0x4F (79) - EAP-Message
Length: 0x57 (87)
EAP-Message
Attribute
Type: 0x18 (24) - State
Length: 0x17 (23)
State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
Attribute
Type: 0x50 (80) - Message-Authenticator
Length: 0x10 (16)
Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
Destination MAC: F8:66:F2:62:63:xx
Source MAC: 1C:DF:0F:55:20:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x002C (44)
ID: 0x4896 (18582)
Flags
Don't fragment bit: 0 - May fragment
More fragments bit: 1 - More fragments
Fragment offset: 0x0000 (0)
Time to live: 0x7A (122)
Protocol: 0x11 (17) - UDP
Checksum: 0x397F (14719) - correct
Source IP: 15.15.15.15
Destination IP: 10.10.10.10
IP Options: None
UDP
Source port: 1812
Destination port: 32769
Length: 0x0569 (1385)
Checksum: 0x2FE4 (12260) - incorrectHi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error.
Maybe you are looking for
-
hi guys, I'm trying to use my new webcam Logiterch C920 with Skype but I don;t know why, I can't have video call. I have sound but no image. My configuration is: Win8.1/64bits. I tried with older Skype version, works for a few times, but after a whi
-
Block Operation Number Change in Production order
hello, How can i block the operation number change in production order if the operation status is CNF...? ie either disable the operation number cell or disable the entire row in the production order. rgrds Krishna.
-
Hi, I use this piece of code to scan through an entire HTML file: while (!scanner.nextLine().matches( "TEXT HERE" )) { // do stuff // do other stuffIs there some kind of wildcard character that I can in the .matches() method use so that the following
-
Motion is so slow - spinning ball all the time!
I took a class in Motion recently and they used iMacs at every station. I never got a spinning ball. I've got a 12 Core with 16GB of RAM and I can't scroll a window without getting a spinning ball. Every tiny adjustment takes forever! Another thi
-
Recently I updated my Firefox. At that time, Norton online backup downloaded with Firefox, tho I never saw a request for my permission. I would never have granted it because I know Norton to be a big system hog. My browser has been unbelievably slow