TLS Handshake, Client Authentication,missing CertificateVerify Message

Similar Messages

• TLS Handshake fails on Mac OS X

  Hello,
  We have a problem with the authentication of Mac OS X 10.8 devices on our wireless network. We are using ISE version 1.2 with patch 2 and a 2504 with version 7.4.115 as WLC. The device should be authenticated with a client certificate over eap-tls.
  In general this setup works fine. But we have problems with two Macs which don’t finish the TLS handshake for authentication. ISE shows “5440 Endpoint abandoned EAP session and started new“ as error message. The Client log shows a missing or not completely received server certificate.
  We also made several traces to find the point at which the server certificate gets lost. But actually the client receives the complete server hello from the tls handshake and simply doesn’t respond.
  Finally we found the problem in this case. It was the Bluetooth connection to an Apple magic mouse. After deactivating the Bluetooth connection the authentication works fine. When the connection is established you can reactivate Bluetooth. But this is more a workaround than a solution.
  Also interesting is the fact that it doesn’t work with this specific controller but it works fine with another one with almost identical configuration.
  We got a hint from an apple specialist that changing the channel might help because of interference but it makes no difference.

  Hi
  I have the same problems with a viritual WLC and ISE v1.2. Windows 7 clients cant connect to their WLAN and the ISE log fills with authentication error messages.
  5440 Endpoint abandoned EAP session and started new
  Have you heard anything from TAC?

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

  Hi All ,
               I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
               I have downloaded client supplicant certficate file for my windows XP machine .
  When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
  Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
  Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

  Hello,
  I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
  Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
  -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
  -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
  -          Delete the wireless network from the computer
  -          REBOOT!!
  -          Open the Microsoft Management Console, “mmc”.
  -          Go FILE\Add Remove SnapIn. Select Certificates ..
  -          If promoted, do it for “My User Account”.
  -          Make sure the certificates are where you put them. 
  -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
  -          Redo wireless network setup again
  I hope this helps you.
  Mike

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

  Hello,
  Has anyone come across this error code before?  I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
  I setup 7925 phones for EAP-TLS using MIC.  I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication".  A Certificate Profile is configured matching Common Name and is added to the Identity Sequence.    I got some additional attribute information, where there is a error message:
  OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
  Anyone know what this error means?

  Yes,
  That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
  Installing the Authentication Server Root Certificate
  The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
  To install the certificate, follow these steps:
  Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
  Step 2 Go to the phone web page and choose Certificates.
  Step 3 Click Import next to the Authentication Server Root certificate.
  Step 4 Restart the phone.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Hi guys,
  I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
  I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

• EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

  Hi,
  I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
  Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
  I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
  Can anybody help regarding this issue.

  Hi Sandeep,
  Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
  Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
  Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
  1. Guest Client go to google.com
  2. Client goes to DNS (the one its is assign in DHCP)
  3. DNS resolves the DNS for google.com
  4. Client then attempts to go to google.com
  5. Controller intercepts GET and replaces it with a 1.1.1.1
  6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
  7. DNS then gets resolve to the name (example guest.xxx.com)
  8. Controller presents the guest screen
  Hope it helps.
  Regards
  Dont forget to rate helpful posts

• Handshake failure with client authentication

  Hi,
  I am using the JDK1.4 beta 3 to accomplish the following: I want to request an HTML page on an Apache webserver configured with SSL and client-authentication. It works with Netscape and Internet Explorer (and also with the openssl s_client test program)...
  But now I want to try it using Java... So, I wrote a very simple program based on some examples found on this forum... But i keep getting the following error (excerpt from the javax.net.debug=all command)
  As you can see the server request a client certificate that's issued by the certificate authority mentioned...
  *** CertificateRequest
  Cert Types: RSA, DSS,
  Cert Authorities:
  <[email protected], CN=Andy Zaidman, OU=stage, O=Kava's Certif
  icate Authority, L=Antwerp, ST=Antwerp, C=BE>
  [read] MD5 and SHA1 hashes: len = 180
  0000: 0D 00 00 B0 02 01 02 00 AB 00 A9 30 81 A6 31 0B ...........0..1.
  0010: 30 09 06 03 55 04 06 13 02 42 45 31 10 30 0E 06 0...U....BE1.0..
  0020: 03 55 04 08 13 07 41 6E 74 77 65 72 70 31 10 30 .U....Antwerp1.0
  0030: 0E 06 03 55 04 07 13 07 41 6E 74 77 65 72 70 31 ...U....Antwerp1
  0040: 25 30 23 06 03 55 04 0A 13 1C 4B 61 76 61 27 73 %0#..U....Kava's
  0050: 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74 Certificate Aut
  0060: 68 6F 72 69 74 79 31 0E 30 0C 06 03 55 04 0B 13 hority1.0...U...
  0070: 05 73 74 61 67 65 31 15 30 13 06 03 55 04 03 13 .stage1.0...U...
  0080: 0C 41 6E 64 79 20 5A 61 69 64 6D 61 6E 31 25 30 .Andy Zaidman1%0
  0090: 23 06 09 2A 86 48 86 F7 0D 01 09 01 16 16 41 6E #..*.H........An
  00A0: 64 79 2E 5A 61 69 64 6D 61 6E 40 75 69 61 2E 61 [email protected]
  00B0: 63 2E 62 65 c.be
  *** ServerHelloDone
  [read] MD5 and SHA1 hashes: len = 4
  0000: 0E 00 00 00 ....
  *** Certificate chain
  JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
  *** ClientKeyExchange, RSA PreMasterSecret, v3.1
  Random Secret: { 3, 1, 38, 54, 219, 158, 32, 158, 155, 15, 55, 137, 216, 164, 4
  5, 65, 153, 142, 200, 98, 57, 251, 55, 6, 46, 124, 181, 161, 164, 234, 218, 75,
  195, 72, 218, 187, 182, 197, 4, 11, 249, 45, 3, 136, 207, 114, 236, 172 }
  [write] MD5 and SHA1 hashes: len = 141
  0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 64 92 2E .............d..
  0010: 42 2C A5 79 1D 2B A9 A5 D0 46 2A 1F 67 F3 49 28 B,.y.+...F*.g.I(
  0020: E0 ED 1D 85 E3 06 22 49 8A 79 02 48 E2 DD E6 75 ......"I.y.H...u
  0030: F3 C0 D3 A8 31 C0 18 94 7C 81 24 75 6A A1 0C 4F ....1.....$uj..O
  0040: 99 03 66 B8 37 4F 05 0D 5D CD F2 A0 10 F5 D5 F5 ..f.7O..].......
  0050: 50 66 49 91 CA C0 18 F1 07 E9 70 D0 CB EA 70 D3 PfI.......p...p.
  0060: 8E 13 55 E7 43 BD 94 1C D3 96 1F E9 67 93 57 62 ..U.C.......g.Wb
  0070: 91 5C E6 ED B1 75 9C A8 55 B7 50 DE CE 9B 1C EE .\...u..U.P.....
  0080: 57 62 20 9C F3 11 36 68 7A 38 62 79 D1 Wb ...6hz8by.
  main, WRITE: SSL v3.1 Handshake, length = 141
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 26 36 DB 9E 20 9E 9B 0F 37 89 D8 A4 2D 41 ..&6.. ...7...-A
  0010: 99 8E C8 62 39 FB 37 06 2E 7C B5 A1 A4 EA DA 4B ...b9.7........K
  0020: C3 48 DA BB B6 C5 04 0B F9 2D 03 88 CF 72 EC AC .H.......-...r..
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 3B E9 51 EF F3 13 65 11 4E D6 B7 B1 9F E8 F6 CB ;.Q...e.N.......
  0010: B5 2B 34 8F 87 53 66 61 33 BF 5A AD 7D 22 57 7D .+4..Sfa3.Z.."W.
  Server Nonce:
  0000: 3B E9 53 4E 03 37 E9 CD E8 DB 7C 54 9A 9E 53 B9 ;.SN.7.....T..S.
  0010: 78 E0 36 DF 06 17 07 90 2C D1 83 5E 20 05 DC E9 x.6.....,..^ ...
  Master Secret:
  0000: B5 A0 37 0A 2C 29 AD AC 99 B6 2F E0 4D 80 38 68 ..7.,)..../.M.8h
  0010: F7 4F 24 C4 AA 8C ED 25 A9 D6 90 33 4B 5A 0B 1D .O$....%...3KZ..
  0020: 11 A5 C9 E8 DB DE EF 9B 8D EB 7C 84 D6 AC 94 4F ...............O
  Client MAC write Secret:
  0000: F5 AF 61 5B B4 C2 A8 12 DA 7A FE A6 82 79 7F FC ..a[.....z...y..
  0010: B9 86 B2 C0 ....
  Server MAC write Secret:
  0000: 62 22 C6 39 91 E4 45 50 2A 49 E0 26 CF 16 3E 6A b".9..EP*I.&..>j
  0010: 46 19 00 D9 F...
  Client write key:
  0000: D9 D2 99 89 5C CA 2E 7D F3 B8 52 24 9E 01 9B 3B ....\.....R$...;
  Server write key:
  0000: 37 C3 37 78 8B 85 B0 FE 01 83 E2 6C F7 C6 73 33 7.7x.......l..s3
  ... no IV for cipher
  main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
  JsseJCE: Using JSSE internal implementation for cipher RC4
  *** Finished, v3.1
  verify_data: { 51, 236, 194, 3, 230, 37, 147, 76, 251, 233, 132, 207 }
  [write] MD5 and SHA1 hashes: len = 16
  0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
  Plaintext before ENCRYPTION: len = 36
  0000: 14 00 00 0C 33 EC C2 03 E6 25 93 4C FB E9 84 CF ....3....%.L....
  0010: 64 30 E3 0B 31 CF 7D C7 D6 17 D8 FB 31 23 F9 34 d0..1.......1#.4
  0020: 5D B9 47 F9 ].G.
  main, WRITE: SSL v3.1 Handshake, length = 36
  main, READ: SSL v3.1 Alert, length = 2
  main, RECV SSLv3 ALERT: fatal, handshake_failure
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
  at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
  at java.io.OutputStream.write(OutputStream.java:61)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
  at HttpClient.main(HttpClient.java:105)
  Now, I am sure the certificate is in the keystore, because one of the first things I do in the program is print the certificates available in the keystore...
  Does anyone know what I'm doing wrong? If you need the code to make a proper judgement, I will post it...
  Tnx in advance!
  Greetz,
  Andy Zaidman
  [email protected]

  import java.net.*;
  import java.io.*;
  import java.security.*;
  import java.security.cert.*;
  import javax.net.ssl.*;
  import java.util.*;
  public class HttpClient
       public HttpClient(){}
       public static void main (String args[])
       try
            //This is my server certificate - public key
            String serverCertificateFile = "MyCA.cer";
            //This is my client personal certificate
            String clientCertificateFile = "MyPersonal.pfx";
            CertificateFactory cf = CertificateFactory.getInstance("X.509");
            KeyStore ks = KeyStore.getInstance("JKS");
            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SUNX509");
            ks.load(null, null);
            java.security.cert.X509Certificate the_cert = (java.security.cert.X509Certificate) cf.generateCertificate(new FileInputStream(serverCertificateFile));
            ks.setCertificateEntry("server", the_cert);
            tmf.init(ks);
            for (Enumeration e = ks.aliases() ; e.hasMoreElements() ;)
       System.out.println(ks.getCertificate(e.nextElement().toString()).toString());
            KeyStore ks2 = KeyStore.getInstance("PKCS12", "SunJSSE");
            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SUNX509");
            ks2.load(null, null);
            FileInputStream fin = new FileInputStream(clientCertificateFile);
            ks2.load(fin, "xxx".toCharArray());
            kmf.init(ks2, "xxx".toCharArray());
            fin.close();
            for (Enumeration e = ks2.aliases() ; e.hasMoreElements() ;)
       System.out.println(ks2.getCertificate(e.nextElement().toString()).toString());
            SSLContext ctx = SSLContext.getInstance("SSLv3");
            KeyManager[] km = kmf.getKeyManagers();
            for(int i = 0; i < km.length; ++i)
                 System.out.println(km);
            TrustManager[] tm = tmf.getTrustManagers();
            ctx.init(km, tm, null);
            // connection part
            SSLSocketFactory factory = ctx.getSocketFactory();
            SSLSocket socket = (SSLSocket)factory.createSocket("localhost", 443);
            for(int i = 0; i < socket.getEnabledCipherSuites().length; ++i)
                 System.out.println(socket.getEnabledCipherSuites()[i]);
            socket.startHandshake();
            PrintWriter out = new PrintWriter(
                      new BufferedWriter(
                      new OutputStreamWriter(
                      socket.getOutputStream())));
            out.println("GET " + "/" + " HTTP/1.1");
            out.println();
            out.flush();
       catch(Exception e)
            e.printStackTrace();

• Error while enabling two way authentication :Client certificate missing

  Hi,I am getting the following error while enabling the two way authentication.The weblogic server 5.1 has accepted both the client ca and server certificates and is listening for SSL on the specified port.But when I try to access thru the secured connection thru my IE it asks for Client Authentication dialog asking for valid Client certificate but I am not able to view any of the client certificate even though I have one which is the trusted root store.and there by giving the error page cannot be displayed .On the server side I get the following error.Thu Mar 08 10:54:35 GMT 05:30 2001:<D> <SSLListenThread> Problem accepting connectionjava.io.IOException: required client certificate missing at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:711) at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:529) at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:219) at weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java:192) at weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1001) at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30) at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:377) at weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.java:506) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)can anybody please guide me what could be wrong.Do I need to change the browser settings.I have enabled SSL 3.0 and SSL 2.0 and all other settings are defaultIt is urgent.pls give some suggestions.Regards,Bhavani

  I think you have to specify the client root in your weblogic.properties
  file.
  here are my settings:
  weblogic.security.enforceClientCert=true
  weblogic.security.certificate.server=democert.pem
  weblogic.security.key.server=demokey.pem
  weblogic.security.certificate.authority=ca.pem
  weblogic.security.clientRootCA=VeriSignClass1CA.der
  Regards,
  -Arthur
  Bhavani <[email protected]> wrote:
  Hi,I am getting the following error while enabling the
  two way authentication for Weblogic Server 5.1Thu Mar
  08 16:10:54 GMT 05:30 2001:<I> <ListenThread> Listening
  on port: 7001Thu Mar 08 16:10:54 GMT 05:30 2001:<I> <SSLListenThread>
  Listening on port: 7002<NT Performance Pack> NATIVE:
  created IoCompletionPort successfully. IoPort=0x000002a4Thu
  Mar 08 16:10:56 GMT 05:30 2001:<I> <WebLogicServer> WebLogic
  Server startedThu Mar 08 16:11:20 GMT 05:30 2001:<D>
  <SSLListenThread> Problem accepting connectionjava.io.IOException:
  required client certificate missing at weblogic.security.SSL.SSLSocket.serverInit2(SSLSocket.java:711)
  at weblogic.security.SSL.SSLSocket.serverInit(SSLSocket.java:529)
  at weblogic.security.SSL.SSLSocket.initialize(SSLSocket.java:219)
  at weblogic.security.SSL.SSLSocket.performAcceptHandshake(SSLSocket.java:192)
  at weblogic.security.SSL.SSLSocket.getInputStream(SSLSocket.java:1001)
  at weblogic.socket.ResettableSocket.<init>(ResettableSocket.java:30)
  at weblogic.socket.JVMSocketManager.accept(JVMSocketManager.java:377)
  at weblogic.t3.srvr.ListenThread$RJVMListenRequest.execute(ListenThread.java:506)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java,
  Compiled Code)Thu Mar 08 16:12:07 GMT 05:30 2001:<D>
  <SSLListenThread> Problem accepting connectionCan anybody
  suggest why this error is coming?Regards,Bhavani

• Missing post message in client session monitoring

  Hi,
  I have synchronized creating a record of a data object, in the message monitoring tool appears that the message is processed correctly but if I look the session at the client session monitoring that message did not appears, would appears as post message, right?
  Another question, why in the client session monitoring at session information of a one session appears not sorted the synchronization cycle number or date and time? Can I sorted it?
  I'm in 7.10 SP11.
  Thanks in advance and kind regards.

  Hi,
  You see only default columns given by SAP. But you can add additional attributes like direction, message type etc., by going to personalization screen. On extreme right of the table top, you see a couple of buttons. One of them is personalization. Click on that and it opens a pop which shows the list of available fields for display on left side and fields which are already displayed on the right side.
  You need to select direction and message type from left and move them to right and save and apply those settings for the user. So from next time, it shows the selected attributes.
  Coming to your problem, do you see any messages at all in session monitoring? Without giving any filtering criteria just try to search for all of them in the system. See if you get any entries at all. (If still not displayed then you need to enable session monitoring logs).
  The timezone difference could be because the system timezone is set to different timezone than of your current.
  Best Regards,
  Siva.

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• Wireless Client Authentication issues when roaming Access Points (Local)

  I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
  There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
  From Cisco ISE
  Event
  5400 Authentication failed
  Failure Reason
  11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Resolution
  Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
  Root cause
  While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
  I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
  Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
  I also had this from Splunk for the same client:
  Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
   FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
  Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
  Thanks

  Further detail From ISE for the failure:
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  11507
  Extracted EAP-Response/Identity
  12500
  Prepared EAP-Request proposing EAP-TLS with challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12301
  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300
  Prepared EAP-Request proposing PEAP with challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12302
  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318
  Successfully negotiated PEAP version 0
  12800
  Extracted first TLS record; TLS handshake started
  12805
  Extracted TLS ClientHello message
  12806
  Prepared TLS ServerHello message
  12807
  Prepared TLS Certificate message
  12810
  Prepared TLS ServerDone message
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11514
  Unexpectedly received empty TLS message; treating as a rejection by the client
  12512
  Treat the unexpected TLS acknowledge message as a rejection from the client
  11504
  Prepared EAP-Failure
  11003
  Returned RADIUS Access-Reject