ISE 1.2 / WLC 5508 EAP-TLS expired certificate error, but wireless still working

Similar Messages

• WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

  Hello,
  Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
  Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
  Did anyone have similar problems with Windows 8/81?
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
  0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
  *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
  Any hint would be great .... Thank you...

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• WLC Local EAP-TLS auth, certificate ACL feature?

  Hi All,
  I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
  Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
  Thanks in advance.

  Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
  It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

• 802.1X EAP-TLS User Certificate Errors

  I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
  Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.
  No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:
  [236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
  [236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
  [236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
  [236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
  [236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
  [236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  Also, in the event viewer I get the following:
  Wireless 802.1x authentication failed.
  Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
  Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
  Local MAC Address: C4:17:FE:48:F2:79
  Network SSID: *****
  BSS Type: Infrastructure
  Peer MAC Address: 00:12:17:01:F7:2F
  Identity: NULL
  User: presentation
  Domain: ****
  Reason: Explicit Eap failure received
  Error: 0x80420014
  EAP Reason: 0x80420100
  EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
  I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User
  Principal Name (UPN) is checked.  All other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate
  exists in the "Personal" user certificate store on the client.
  There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

  Hey,
  I am precisely in the same situation now. I have  a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
  when I use the user certificate it doesn't work. Both  user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
  personal stores.
  I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
  [6472] 12-10 13:39:04:327: DwGetEKUUsage
  [6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
  [6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  [6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
  [6472] 12-10 13:39:04:327:  Self Signed Certificates will not be selected.
  [6472] 12-10 13:39:04:327: EAP-TLS will accept the  All-purpose cert
  I am stuck at it for last few days with no real cause known as yet.!
  Any help will be thoroughly appreciated!!!

• 5800 XM "Expired Certificate" error message

  For people who own a Nokia 5800 XM, the error message of "Expired Certificate" when downloading applications onto the device will be mean you cannot load on new apps, which can be frustrating.
  Firstly you should try to update the firmware on your phone by 1 of 3 ways.
  Using FOTA (Firmware Over The Air). Another thread of mine will explain this in detail. You can find it here.
  Downloading Nokia Software Updater(NSU) and connecting your 5800 to the computer using a data cable.
  Taking the handset to a Nokia Care point if you do not want to try the above 2 options.
  **NOTE: Always be sure to make a back up of your personal details that are held on the phone as updating firmware will most likely delete any data left on the phone.
  If you have used FOTA or NSU to update your firmware, or there is no new update available then doing the following will work and will allow you to install new applications without the expired certificate error message.
  With the phone switched on, press the power button key once.
  Scroll down to and select "Remove E: Memory Card". 
  Select Yes to remove the memory card.
  Press OK and remove memory card from phone.
  Press the Dialler on the main screen.
  Type *#7370#
  Enter security code. Default is 12345 unless it has been changed.
  The phone will reset, wait for this to complete and power back on.
  Select your country and type in the correct time and date.
  Wait for the phone to complete its configurations, you may receive "My Nokia" or tutorial messages.
  Power off phone.
  Insert the memory card.
  Power on the phone.
  Wait for the phone to install any pre-loaded content from the memory card
  Phone is ready to install applications, without "Expired Certificate" error message.
  I have done the above myself and downloaded the PDF reader from the "Download" application from within the handset and it installed with no error after these steps.
  I hope this helps.
  My posts are my opinion and in no way the direct views of Nokia.
  If my posts are helpful, please give me some KUDOS using the green star on the left.

  try to sign your app(s) through Opda site.
  If you want to thank someone, just click on the blue star at the bottom of their post

• Another Expired Certificate Error Thread

  I've searched all over, and apologize in advance if there is already an answer for this.
  I'm using the Symbian Belle OS and am running into the old problem of expired certificate errors when trying to install certain apps. The solution to this was to change the date on the phone so it coincides with that of the application you're trying to install. But that solution is no longer working.
  Does anyone know of a workaround?

  I did every year all the way back to 2000 but no luck
  I also tried sites that will convert the .sis file into one with a valid certificate, but that fails as well. When going down that road it just tells me the certificate is not valid or that the author cannot be verified (instead of expired).

• ISE: advising users that only EAP-TLS can be used

  A large school board accepts only EAP-TLS connections.  This requirement is easily dissiminated to teachers, however not to students whose personal devices keep trying to connect using PEAP.   Once users connect with EAP-TLS, they are authenticated on AD.
  1. Could we from the Switch port block PEAP but let EAP-TLS go through? I couldn't find a command for this.
  2. If we can't stop PEAP requests from reaching ISE, could we treat the PEAP connections as CWA, but have a special Authorization Rule that would say if inner tunnel is PEAP then do CWA-nonEAP-TLS web authentication which would be a customized web page that would have a message instructing the students how to use EAP-TLS? would that make sense?
  3. Do you have better suggestion how to either block PEAP before it reaches ISE or a way using ISE to let users know that they must use EAP-TLS, not PEAP if they wish to connect?
  Thanks.
  Cath.

  Hi Tarik,
  Of course, I know about the Allowed Protocol which currently has only Host Lookup and EAP-TLS enabled.  But that technique, of not allowing PEAP in ISE Authentication policies, doesn't stop thousands of students devices from hitting ISE with PEAP traffic.  Students have heard that they are allowed to connect to the school network using dot1x, so they turn it on on their PC without regards of to which EAP flavour they are supposed to use.  Thus, the ISE box getitng hit with PEAP requests which it drops.  The school board would like to deal with that PEAP traffic. 
  To alliviate this problem, of the ISE box getting constantly PEAP traffic from the same device over and over again in the course of a day, I was wondering:
  1. can we stop PEAP traffic before it arrives to ISE?  is there a way for the switch to differentiate that it's a PEAP and not EAP-TLS and to drop it before passing it to ISE? I don't think so.
  2. if the switch can't stop PEAP , how is the best way to have ISE process the PEAP traffic?   because if ISE only reject the PEAP traffic, it is constantly hit back that the same device sending over and over PEAP traffic to ISE. 
  I suggested to the client the two following possible ways:
    a. authorization rule based on Network Access: Tunnel PEAP that provides CWA with customized webpage telling the students to use EAP-TLS and not PEAP (this technique is explained in para 2. of my original posting).
    b. create a blackhole VLAN where the students personal PC that are arriving with PEAP are put.  This VLAN doesn't go anywhere, but at least the PC has stopped hitting ISE with PEAP traffic for a few minutes, until the student decides to restart his/her connection.   
  I also recommended to the client that they have a better technique to inform the students that only EAP-TLS is available, like posters on the wall, blast email, on School FB page, etc .  but information dissimination is not an IT problem, it's a communication problem. 
  Looking forward to your suggestions.

• WLC 4400: EAP-TLS

  Good day!
  I tried to set up the EAP-TLS according to
  - http://cciew.wordpress.com/2010/06/10/eap-tls-on-the-wlc/
  - http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  - Jeremy video about EAP-TLS
  The main question is about certificates.
  Tell me if I am wrong -  There are two types of certificates that we need to upload to the WLC:
  1) Device certificate - this is quite clear, OpenSSL, Certificate Request and e.t.c.
  2) CA Root certificate - if there is only one CA Root than clear, but if we have the following chain
  Root CA -> Intermediate CA -> WLC
  a) Do we need to upload the whole chain "Root CA -> Intermediate CA" to the WLC ?
  b) If yes, what format is it going to be? maybe smth like this
  ------BEGIN CERTIFICATE------
  *Intermediate CA cert *
  ------END CERTIFICATE--------
  ------BEGIN CERTIFICATE------
  *Root CA cert *
  ------END CERTIFICATE------

  Nicolas, thank you for your reply!
  1)
  I've already seen the article, but now notice some interesting fact:
  "Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
  Regarding this note, do we need to bundle any certificates for EAP-TLS scheme?
  2)
  On the WLC we have an opportunity to download two types of Certificates:
  - Vendor Device Certificate - it is made of CSR request and then uploaded to the WLC in .pem format
  - Vendor CA Certificate - this is more interesting:
    Yesterday I bundled Root and Intermediate CA Certificates in one .pem file, then uploaded it to the WLC as "Vendor CA Certificate" - the result was suсcessful! During the EAP-TLS auth process SSL Handshake completed sucessfully and I connected to my EAP WLAN!
  In the controller Client Properties I saw the EAP TLS>
  Everything seems to be ok, strange...
  May be, the chain of Root and Intermediate CA Certificates is the redundant information, but the scheme seems to be working!

• WLC 5508 with LAP-1142n - Several Errors

  Hello all,
  I had installed a WLC 5508 with 7 LAP 1142n and 2 converted AP 1131abg.
  I am seeing some errors relating 2 issues.
  1st- One particular AP 1142 is disassociating and reseting the radios.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Thu Oct 28 11:50:49 2010
  AP's Interface:0(802.11b)   Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
  Thu Oct 28 11:50:49 2010
  AP's Interface:0(802.11b)   Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
  Thu Oct 28 11:50:49 2010
  AP's Interface:1(802.11a)   Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
  Thu Oct 28 11:50:49 2010
  AP's Interface:1(802.11a)   Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
  Thu Oct 28 11:50:46 2010
  AP's Interface:1(802.11a) Operation   State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio reset due to Init.   Status:NA
  Thu Oct 28 11:50:46 2010
  AP's Interface:0(802.11b)   Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio reset due to   Init. Status:NA
  Thu Oct 28 11:50:46 2010
  AP 'AP3', MAC:   e8:04:62:23:ac:e0 disassociated previously due to AP Reset. Uptime: 1 days,   10 h 24 m 23 s . Last reset reason: operator changed 11g mode.
  Thu Oct 28 11:50:35 2010
  AP Disassociated. Base Radio   MAC:e8:04:62:23:ac:e0
  Thu Oct 28 11:50:35 2010
  AP's Interface:1(802.11a)   Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=New Discovery Status:NA
  Thu Oct 28 11:50:35 2010
  AP's Interface:0(802.11b) Operation   State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=New Discovery Status:NA
  I had some search, and the new discovery cause, might be that the AP didnt know what WLC do associate, in a multi-controller environment. This is not the case. I only have one WLC in the same management vlan.
  2st-The Radius server is beeing related in the logs as been deactivated. I raise the server time-out on Radius configuration option, but it still continues to do it.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Thu Oct 28 10:24:41 2010
  RADIUS server 10.67.128.36:1812 deactivated in global list
  Thu Oct 28 10:24:41 2010
  RADIUS server 10.67.128.36:1812 failed to respond to request (ID 172)   for client e8:06:88:51:c0:2b / user 'unknown'
  Is this meaning the WLC stop sending request to the Radius Server ? We dont have BackUp Radius.
  As far as i know, its always the same mac-address client that is associated to that error, maybe a iphone.
  I had so many clients in that SSID and they are all working good.
  The Radius server is a NPS from windows Server 2008
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  , and the client says that the medium response time is 0,02 sec, so im wondering why the controller is not getting response from Radius for a particular client?! My client also says, that didnt found any log related to that mac-address client ... what is weird...
  WLC with last software available 7.0.164
  Hope some one help me here.
  Best Regards,
  Bruno Petrónio

  Thanks Scott,
  I understand what you are mentioning, and i really didnt do it yet.
  I realize that the primary controller was not configured on the
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Wireless –> All APs –> High Availability tab, and did it only to the AP that is taking this beahviour.
  Is this mandatory for a 1 controller only ?
  No mather what the manual say, after that the AP is rebooting 2 mins in 2 mins... with the same kind of messages.
  The interface on the switch is getting a few input errors and the same numbers of crc... but are so few...
  Next step ... i will change it to another one's place/pathing cable.
  Regarding the Radius messages... any ideas ?
  I'm already on 30 sec's of server timeout.
  Best Regards,
  Bruno Petrónio

• WLC 5508 : WPA2 enabled SSID - especially Intel & Dell wireless cards are not getting connected

  Hi ,
  I have one pecular issue in my wireless lan set-up. I have some laptop users who are using below inbuilt wireless adapter/cards :
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  1 ) Dell wireless 1397 WLAN Minicard
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  2 ) Intel Centrino Advanced N6200 AGN
  above card are having issue with WPA2 enabled ssid connecitivity. strange is , the same users are getting connected to other wep enabled SSID but its not working for WPA2 SSID.
  I have external ACS server which is used for radius authentication. Last time I had put same query in support forum did some workaround.
  eq. disabling DHCP proxy option in WLC and moving all DHCP scope in external server.
  After doing this workaround this mentioned users are still facing issue. I gone through some cisco document and some forums and came across that there is something to be done in " Session Timed Out "  optionin WLC
  which is default 1800 sec based on that I tried to capture debug outputs for mentioned above problematic clients and user who is working fine .
  I gone through the same debug output  and observed :
  User who is working fine :
  Processing Access-Accept for mobile 00:22:5f:8d:55:84
  00:xx:xx:xx:xx:xx Setting re-auth timeout to 1800 seconds, got from WLAN config.
  00:xx:xx:xx:xx:xx Station 00:22:5f:8d:55:84 setting dot1x reauth timeout = 1800
  00:xx:xx:xx:xx:xx Creating a PKC PMKID Cache entry for station 00:22:5f:8d:55:84 (RSN 2)
  00:xx:xx:xx:xx:xx Adding BSSID 00:1f:ca:2c:f3:01 to PMKID cache for station 00:22:5f:8d:55:84
  New PMKID: (16)
  The User /  card which is having issue :
  Processing Access-Accept for mobile 00:22:5f:90:a2:ac
  00:xx:xx:xx:xx:xx Setting re-auth timeout to 0 seconds, got from WLAN config.
  00:xx:xx:xx:xx:xx Station 00:22:5f:90:a2:ac setting dot1x reauth timeout = 0
  00:xx:xx:xx:xx:xx Stopping reauth timeout for 00:22:5f:90:a2:ac
  00:xx:xx:xx:xx:xx Creating a PKC PMKID Cache entry for station 00:22:5f:90:a2:ac (RSN 2)
  00:xx:xx:xx:xx:xx Adding BSSID 00:26:cb:1d:fe:31 to PMKID cache for station 00:22:5f:90:a2:ac
    New PMKID: (16)
  Please suggest me to do workaround.

  Hi,
  According to output of working as well as not working wireless cards ,
  below is my observations :
  Not working wireless cards observation :
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  The client passed the L2 authentication and that, after successful association, it is now going into the DHCP_REQD state
  Not-working wirelss card :
  *Apr 06 11:58:15.866: 0c:60:76:3e:8c:49 10.10.232.137 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
  *Apr 06 11:58:15.866: 0c:60:76:3e:8c:49 Stopping retransmission timer for mobile 0c:60:76:3e:8c:49
  *Apr 06 11:58:15.869: 0c:60:76:3e:8c:49 10.10.232.137 Added NPU entry of type 1, dtlFlags 0x0
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  The client entry is added to the Network Processing Unit (NPU) of the controller with an IP address of  10.10.232.137 but after that , I am getting below output
  *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy AP LOCP - mode:0 slotId:0, apMac 0x0:1f:ca:2c:ea:e0
  *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy WLAN LOCP EssIndex:2 aid:50 ssid:USTRI_SECURE
  *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x0, eaptype:0x2 w:0x1 aalg:0x0, PMState:        RUN
  *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x3 statuscode 0, reasoncode 99, status 3
  *Apr 06 11:58:22.742: 0c:60:76:3e:8c:49 Copy Username LOCP :   U25744
  *Apr 06 11:58:22.743: 0c:60:76:3e:8c:49 Copy IP LOCP: 0xa0ae889
  *Apr 06 11:58:22.743: 0c:60:76:3e:8c:49 Copy CCX LOCP 4
  *Apr 06 11:58:22.743: 0c:60:76:3e:8c:49 Copy MobilityData LOCP status:1, anchorip:0x0
  *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 10.10.232.137 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
  *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 Clearing Address 10.10.232.137 on mobile
  *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 10.10.232.137 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
  *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 apfMmProcessDeleteMobile (apf_mm.c:522) Expiring Mobile!
  *Apr 06 11:59:14.002: 0c:60:76:3e:8c:49 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 0c:60:76:3e:8c:49 on AP 00:1f:ca:2c:ea:e0 from Associated to Disassociated.
  working cards ouput :
  *Apr 06 12:16:28.038: 00:22:5f:8d:55:84 10.10.232.190 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
  *Apr 06 12:16:28.038: 00:22:5f:8d:55:84 Stopping retransmission timer for mobile 00:22:5f:8d:55:84
  *Apr 06 12:16:28.042: 00:22:5f:8d:55:84 10.10.232.190 Added NPU entry of type 1, dtlFlags 0x0
  The client entry is added to the Network Processing Unit (NPU) of the controller with an IP address of  10.10.232.190  and as expected  , I am getting below output
  *Apr 06 12:16:28.749: 00:22:5f:8d:55:84 DHCP received op BOOTREQUEST (1) (len 321, port 29, encap 0xec03)
  *Apr 06 12:16:28.751: 00:22:5f:8d:55:84 DHCP processing DHCP REQUEST (3)
  *Apr 06 12:16:28.751: 00:22:5f:8d:55:84 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
  *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   xid: 0x6eefbbb8 (1861204920), secs: 0, flags: 0
  *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   chaddr: 00:22:5f:8d:55:84
  *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   ciaddr: 10.10.232.190,  yiaddr: 0.0.0.0
  *Apr 06 12:16:28.752: 00:22:5f:8d:55:84 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
  *Apr 06 12:16:28.753: 00:22:5f:8d:55:84 DHCP successfully bridged packet to DS
  *Apr 06 12:16:30.751: 00:22:5f:8d:55:84 Copy AP LOCP - mode:0 slotId:0, apMac 0x0:1f:ca:2c:f3:0
  *Apr 06 12:16:30.751: 00:22:5f:8d:55:84 Copy WLAN LOCP EssIndex:2 aid:10 ssid:USTRI_SECURE
  *Apr 06 12:16:30.751: 00:22:5f:8d:55:84 Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x0, eaptype:0x2 w:0x1 aalg:0x0, PMState:        RUN
  *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x1 protocol2:0x3 statuscode 0, reasoncode 99, status 3
  *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy Username LOCP : USTR\U17967
  *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy IP LOCP: 0xa0ae8be
  *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy CCX LOCP 4
  *Apr 06 12:16:30.752: 00:22:5f:8d:55:84 Copy MobilityData LOCP status:1, anchorip:0x0
  Finally client is getting stuck with DHCP-REQD state ..................
  Please look into this and put light on this ............

• EAP-TLS User Certificate Question

  I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
  I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
  Thanks
  -Raun

  If you are using the MS Supplicant, you need the following registry settings:
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
  This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
  As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
  Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

• EAP-TLS on ACS v4 for wireless users

  Hi,
  I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
  As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
  Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
  Regards,
  Belal

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• Cisco WLC 5508 with Nexus 5048 CDP error

  Hello,
  We got cisco WLC 5508 running 74.121.0
  The WLC is connected to Nexus 5548 with dual-homed.
  We receive CDP duplex mismatch from the Nexus switches.
  Any ideas?

  Can you check the duplex info. of the neighbor using
  router#show cdp neighbors detail

• 'Certificate Expired/ Certificate Error' in Nokia ...

  I have bought a new Nokia N91 8GB. But when I try to instal any application or theme. I get an error saying 'Certificate Expired' or 'Certificate Error. Contact Application Supplier'. Please let me know how this can be resolved.

  Hi ismaniyar
  Firstly go to Application Manager > Options > Settings and set "Online Certificate check" = Off and Software Installation = All.
  Secondly try resetting date on phone to January 1 2007 first and if that doesn't work try December 31 2006 as Symbian certificate may have expired on theme; reset date after installation.
  The actual date is a case of trial and error and previously quoted dates may no longer apply due to the passage of time.
  Happy to have helped forum in a small way with a Support Ratio = 37.0