"Unable to transmit key to mobile" eap-tls
Hi,
I got a Wireless Controlleer with a few APs. Now testing EAP auth. Clients fails to authenticate on the network using EAP-TLS. Client status shows as Associated but Auth as No. Ive attached the client debug. It got stuck on "Unable to transmit key to mobile" where XP is "Validating identity". Any sugestions?
Hi fella,
Sorted. Make sure you got all certificates installed and don't use to complicated shared passwords for radius.
Regards
Similar Messages
-
Hi,
I'm in the process of setting up EAP-TLS authentication in my network. I have installed 2048 bit certificates on my ACS server and Client. When attempting to authenticate I receive the following message in ACS: EAP-TLS or PEAP authentication failed during SSL handshake.
Is anyone using 2048 bit certs or know if they work? Any suggestions what else might be causing the authentication failure?
Thanks,2048 bit is the standard these days. I have used 2048 bit with both PEAP and EAP-TLS with no issues. The error might be the shared secret between ACS and the WLC.
Sent from Cisco Technical Support iPhone App -
WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI
Hello,
Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
Did anyone have similar problems with Windows 8/81?
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
*Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
*osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
*dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
*osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
*dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
Any hint would be great .... Thank you...Hello Dino,
thanks very much for your reply.
The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI. The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
I suspect the cert-setup itself, but don't get a clue where this might stuck...
Björn -
ACS 4.0 EAP-TLS Cert not working
Hey,
so i generated my certificate signing request, took it to my CA, got a cert. From "ACS Certification Authority Setup" i installed it onto my ACS appliance, then from "Install ACS Certificate" installed it (it prepopulated the privkey and password so i assume it got that from the cert file). I then add the CA from the "Edit Certificate Trust List". All this goes off without a hitch.
However when i try to add the "Certificate Revocation List" I am unable to add both LDAP:\\\ and http://. I have confirmed that the http:// is working on the CA, and every indication is that the ldap is working too but i don't know of the tools to test that with.
When i go into "System Configuration"->"Global Authentication Setup"->"Allow EAP-TLS" i get the following error.
Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.
What exactly is not installed about the Certificate? it's on the ACS server, it's configured and the date range is correct.
I've been banging my head against this all day and could use some suggestions. :)Ok, i now understand it a little better. I needed to install 2 certificates. the first being the Root CA's certificate in the "ACS Certification Authority Setup" section (i mistakenly thought this was simply where i download my generated cert for the next spot.
The second cert is the one i generated using "Generate Certificate Signing Request", i then took that to my Root CA, generated a cert and installed that along with the private key under "Install ACS Certificate".
Thanks for pointing me in the right direction since the error i was getting wasnt helpful to me. -
EAP-TLS authentication failure
We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711: Callback.....................................0x87e1870
*Jan 07 19:31:42.712: protocolType.................................0x00140001
*Jan 07 19:31:42.712: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712: Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788: structureSize................................145
*Jan 07 19:31:42.788: resultCode...................................255
*Jan 07 19:31:42.788: protocolUsed.................................0x00000001
*Jan 07 19:31:42.788: proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788: Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806: Callback.....................................0x87e1870
*Jan 07 19:31:42.806: protocolType.................................0x00140001
*Jan 07 19:31:42.807: proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807: Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00 ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No. Time Source Destination Protocol Info
1 0.000000 10.10.10.10 15.15.15.15 RADIUS Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 308
Identification: 0x501f (20511)
Flags: 0x02 (Don't Fragment)
Fragment offset: 0
Time to live: 64
Protocol: UDP (17)
Header checksum: 0x4aee [correct]
Source: 10.10.10.10 (10.10.10.10)
Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
Source port: filenet-rpc (32769)
Destination port: radius (1812)
Length: 288
Checksum: 0xe8e0 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x7d (125)
Length: 280
Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
Attribute Value Pairs
AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
AVP: l=6 t=NAS-Port(5): 2
AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
AVP: l=6 t=Service-Type(6): Framed(2)
AVP: l=6 t=Framed-MTU(12): 1300
AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
AVP: l=89 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 87
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0x80): Length
Length: 77
Secure Socket Layer
AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No. Time Source Destination Protocol Info
2 0.060373 15.15.15.15 10.10.10.10 IP Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 44
Identification: 0x2935 (10549)
Flags: 0x01 (More Fragments)
Fragment offset: 0
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x58e0 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1 .u..V)..
No. Time Source Destination Protocol Info
3 0.060671 15.15.15.15 10.10.10.10 RADIUS Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1381
Identification: 0x2935 (10549)
Flags: 0x00
Fragment offset: 24
Time to live: 122
Protocol: UDP (17)
Header checksum: 0x73a4 [correct]
Source: 15.15.15.15 (15.15.15.15)
Destination: 10.10.10.10 (10.10.10.10)
[IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
Source port: radius (1812)
Destination port: filenet-rpc (32769)
Length: 1385
Checksum: 0xe8f5 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x7d (125)
Length: 1377
Authenticator: 6c8300aed07505c35629a7b14de483be
Attribute Value Pairs
AVP: l=6 t=Session-Timeout(27): 30
Session-Timeout: 30
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[5]
EAP fragment
AVP: l=33 t=EAP-Message(79) Last Segment[6]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1296
Type: EAP-TLS [RFC5216] [Aboba] (13)
Flags(0xC0): Length More
Length: 8184
Secure Socket Layer
[Malformed Packet: SSL]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Message: Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
Destination MAC: 1C:DF:0F:55:20:xx
Source MAC: F8:66:F2:62:63:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x0135 (309)
ID: 0x2B26 (11046)
Flags
Don't fragment bit: 1 - Don't fragment
More fragments bit: 0 - Last fragment
Fragment offset: 0x0000 (0)
Time to live: 0x40 (64)
Protocol: 0x11 (17) - UDP
Checksum: 0x6FE6 (28646) - correct
Source IP: 161.86.66.49
Destination IP: 15.15.15.15
IP Options: None
UDP
Source port: 32769
Destination port: 1812
Length: 0x0121 (289)
Checksum: 0x5824 (22564) - correct
Radius
Code: 0x01 (1) - Access-Request
Identifier: 0x8D (141)
Packet Length: 0x0119 (281)
Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
Attributes
Attribute
Type: 0x01 (1) - User-Name
Length: 0x1A (26)
Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
Attribute
Type: 0x1F (31) - Calling-Station-Id
Length: 0x11 (17)
Calling id: 58-94-6b-15-5f-xx
Attribute
Type: 0x1E (30) - Called-Station-Id
Length: 0x19 (25)
Called id: f0-25-72-70-65-c0:WLAN-XX
Attribute
Type: 0x05 (5) - NAS-Port
Length: 0x04 (4)
Port: 0x00000002 (2)
Attribute
Type: 0x04 (4) - NAS-IP-Address
Length: 0x04 (4)
Address: 10.10.10.10
Attribute
Type: 0x20 (32) - NAS-Identifier
Length: 0x0B (11)
NAS identifier: XX-002_WLAN
Attribute
Type: 0x1A (26) - Vendor-Specific
Length: 0x0A (10)
Vendor id: 0x00003763 (14179)
Vendor specific:
Attribute
Type: 0x06 (6) - Service-Type
Length: 0x04 (4)
Service type: 0x00000002 (2) - Framed
Attribute
Type: 0x0C (12) - Framed-MTU
Length: 0x04 (4)
Framed MTU: 0x00000514 (1300)
Attribute
Type: 0x3D (61) - NAS-Port-Type
Length: 0x04 (4)
NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
Attribute
Type: 0x4F (79) - EAP-Message
Length: 0x57 (87)
EAP-Message
Attribute
Type: 0x18 (24) - State
Length: 0x17 (23)
State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
Attribute
Type: 0x50 (80) - Message-Authenticator
Length: 0x10 (16)
Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
Destination MAC: F8:66:F2:62:63:xx
Source MAC: 1C:DF:0F:55:20:xx
Ethertype: 0x0800 (2048) - IP
IP
IP version: 0x04 (4)
Header length: 0x05 (5) - 20 bytes
Differentiated Services Field: 0x00 (0)
Differentiated Services Code Point: 000000 - Default
ECN-ECT: 0
ECN-CE: 0
Total length: 0x002C (44)
ID: 0x4896 (18582)
Flags
Don't fragment bit: 0 - May fragment
More fragments bit: 1 - More fragments
Fragment offset: 0x0000 (0)
Time to live: 0x7A (122)
Protocol: 0x11 (17) - UDP
Checksum: 0x397F (14719) - correct
Source IP: 15.15.15.15
Destination IP: 10.10.10.10
IP Options: None
UDP
Source port: 1812
Destination port: 32769
Length: 0x0569 (1385)
Checksum: 0x2FE4 (12260) - incorrectHi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error. -
I have been tasked to implement user certificate for mobile devices
The certificate works on my laptop but keeps failing on the S3 device.
has anyone successfully deployed this solution ?
03/25/2014
08:17:26
Authen failed
Theo-Android
Default Group
90-18-7c-66-0f-f6
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
(Cisco Controller) >*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Association received from mobile on AP 00:26:0a:ec:19:60
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying site-specific IPv6 override for station 38:aa:3c:d6:b0:cb - vapId 5, site 'default-group', interface 'secure_wifi-clients'
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying IPv6 Interface Policy for station 38:aa:3c:d6:b0:cb - vlan 50, interface id 8, interface 'secure_wifi-clients'
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb apfMs1xStateDec
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Sending Assoc Response to station on BSSID 00:26:0a:ec:19:60 (status 0) ApVapId 5 Slot 0
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
*pemReceiveTask: Mar 25 06:55:15.289: 38:aa:3c:d6:b0:cb 0.0.0.0 Removed NPU entry.
*dot1xMsgTask: Mar 25 06:55:15.290: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Connecting state
*dot1xMsgTask: Mar 25 06:55:15.291: 38:aa:3c:d6:b0:cb Sending EAP-Request/Identity to mobile 38:aa:3c:d6:b0:cb (EAP Id 1)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received Identity Response (count=1) from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb EAP State update from Connecting to Authenticating for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticating state
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.299: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=11) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb WARNING: updated EAP-Identifier 1 ===> 11 for STA 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 11)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 11, EAP Type 3)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.308: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=12) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 12)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 12, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=13) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.337: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 13, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=14) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.342: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 14)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 14, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.355: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=15) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 15)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 15, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.409: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=16) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 16)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 16, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=17) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 17, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Processing Access-Accept for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Resetting web acl from 255 to 255
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Station 38:aa:3c:d6:b0:cb setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Creating a PKC PMKID Cache entry for station 38:aa:3c:d6:b0:cb (RSN 0)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Sending EAP-Success to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending default RC4 key to mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending Key-Mapping RC4 key to mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.393: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jum
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 50, IPv6 intf id = 8
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jumbo
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 50, IPv6 intf id = 8
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Entering Backend Auth Success state (id=17) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Received Auth Success while in Authenticating state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.451: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticated state
*pemReceiveTask: Mar 25 06:55:15.456: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Mar 25 06:55:15.459: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0I presume by S3 you mean samsung galaxy S3?
We've successfully implemented eap-tls on corporate ipads and iphones but have not managed to get samsung devices to work. There doesn't seem to be consitency with googles nexus devices either, some work and some don't. -
EAP-TLS on WLC 5508 agains IAS RADIUS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi, anyone experienced issue like this?
I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
I got “Access-Accept” debug message received from RADIUS server.
However the wireless client failed to connect.
Below is partially the debug message from the WLC
Any feedbacks are welcome
*Oct 07 15:08:24.403: Callback.....................................0x10c527d0
*Oct 07 15:08:24.403: protocolType.................................0x00140001
*Oct 07 15:08:24.403: proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.403: Packet contains 12 AVPs (not shown)
*Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
*Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b f7 c9 71 dd 32 cb b7 0a .e........q.2...
*Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f 73 74 2f 49 44 31 30 2d R..>."host/ID10-
*Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 65 73 74 0AFJ031.euc.test
*Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13 30 30 2d 31 39 2d 37 64 01.com..00-19-7d
*Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33 62 1e 1a 30 30 2d 33 61 -72-b4-3b..00-3a
*Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34 36 2d 35 30 3a 57 57 53 -98-95-46-50:TES
*Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00 01 04 06 0a 56 0c d2 20 300.........V...
*Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43 30 30 31 1a 0c 00 00 37 .IDHOJXC001....7
*Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06 06 00 00 00 02 0c 06 00 c...............
*Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00 13 4f 27 02 03 00 25 01 ...=.....O'...%.
*Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31 30 2d 30 41 46 4a 30 33 host/ID10-0AFJ03
*Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65 73 74 6c 65 2e 63 6f 6d 1.euc.nestle.com
*Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52 8e 63 0f 2f 87 a5 78 53 P...T.&R.c./..xS
*Oct 07 15:08:24.404: 000000d0: 68 6e hn
*Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35 f7 be 57 75 43 ce 19 ca .e.4>.g5..WuC...
*Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1 03 a2 00 00 01 37 00 01 .]....1......7..
*Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b 13 1e 16 37 00 00 00 00 .V.i..c....7....
*Oct 07 15:08:24.405: 00000030: 00 00 00 5f ..._
*Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
*Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
*Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
*Oct 07 15:08:24.405: structureSize................................78
*Oct 07 15:08:24.405: resultCode...................................0
*Oct 07 15:08:24.405: protocolUsed.................................0x00000001
*Oct 07 15:08:24.405: proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.405: Packet contains 1 AVPs:
*Oct 07 15:08:24.405: AVP[01] Class....................................DATA (30 bytes)
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
source: 4, valid bits: 0x0
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
source: 4, valid bits: 0x0
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04 ........
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000060: 00 00 00 ...
*Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000060: 00 00 00 ...
*Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000060: 00 00 00 ...
*Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.753: 00000030: 69 64 3d 31 id=1
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.760: 00000000: 01 01 00 00 00 .....
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.760: 00000030: 69 64 3d 31 id=1
*Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f 6d est01.com
*Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f 6d est01.com
*Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36cThanks for your reply jedubois
Really appreciate it.
I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
Below are the outputs for the eap advanced config
(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 2
(Cisco Controller) >
Any other suggestion? -
802.1X EAP-TLS User Certificate Errors
I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers). I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
Authentication. However, when authentication mode is set to "User or Computer" or just "User" it fails. I get a "certificate is required to connect" pop up and it's unable to connect.
No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see. It seems as if there is a problem with the client certificate:
[236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
[236] 06-04 09:26:35:720: Self Signed Certificates will not be selected.
[236] 06-04 09:26:35:720: EAP-TLS will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
[236] 06-04 09:26:35:720: PEAP will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
[236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
[236] 06-04 09:26:35:720: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.
Also, in the event viewer I get the following:
Wireless 802.1x authentication failed.
Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
Local MAC Address: C4:17:FE:48:F2:79
Network SSID: *****
BSS Type: Infrastructure
Peer MAC Address: 00:12:17:01:F7:2F
Identity: NULL
User: presentation
Domain: ****
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS. I modified the "Subject Name" to "Build from Active Directory information". "Subject Name Format" is set to "Fully Distinguished Name" and "User
Principal Name (UPN) is checked. All other boxes are cleared. I verified that certificates for both user, computer , and root CA are all correctly auto enrolled. I also verified that the user certificate
exists in the "Personal" user certificate store on the client.
There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything. Please help!Hey,
I am precisely in the same situation now. I have a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
when I use the user certificate it doesn't work. Both user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
personal stores.
I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
[6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
[6472] 12-10 13:39:04:327: DwGetEKUUsage
[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
[6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
[6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.
[6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
[6472] 12-10 13:39:04:327: Self Signed Certificates will not be selected.
[6472] 12-10 13:39:04:327: EAP-TLS will accept the All-purpose cert
I am stuck at it for last few days with no real cause known as yet.!
Any help will be thoroughly appreciated!!! -
EAP-TLS certificates accross multiple computers?
Hi
So I've got eap-tls working with W2k IAS/Certificate Services and an AP1100. My clients are all XP/2000 notebooks and each machine has a computer certificate. The problem is that the notebooks are generic (not user specific) and the notebook that user1 got today may not be the same notebook that user1 gets tomorrow and therefore he/she will not be able to login tomorrow (because their user certificate is stored on the first notebook they had...the one that they used to request the cert). Is there any way to have the user certificates follow the user, regardless of which PC to logon to the domain with? Maybe with romain profiles or something like that. Any ideas. Thanks.You could roll back to PEAP, using LDAP or MSCAHPv2 for authentication. You'll still authenticate the server and get dynamic keys, but the client authentication will still occur at the domain level.
Other than that, I don't think you can have a "mobile/portable" certificate (that would be more like a SecureID fob).
FWIW
Scott -
EAP-TLS not working with IOS 4.1
Hello,
I've lot of iPhone in my enterprise,
I've configured it putting user certificate and authenticate on the wireless network using EAP-TLS mode, choosing user certificate and give the username, and it was working.
sometime "can't connect to network" append, but after lot of tries, it work.
when the network is configured, it's working all the time.
since 4.1.3, I can't configure this network, I can't approve my server radius certificate (so I succeed to authenticate from server)
I've already tried to put my root CA certificate in iPhone, doesn't change anything (It should be trusted ! all servers certificate are from this CA)
I've tried to preconfigure this wireless network with iphone configuration utility, not working.
Iphone 3GS, iphone 4 since IOS 4.1.3Here is the dump log obtened via Iphone configuration utility, with certificate deployed but configuration manually
Oct 14 15:40:41 unknown wifid[29] <Error>: WiFi:[340292441.191866]: Processing link event UP
Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]: lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA2_8021X, key = CIPHER_NONE , 802.1X .
Oct 14 15:40:41 unknown kernel[0] <Debug>: [6225.861292541]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLAN Joined BSS: @ 0xc0befa00, BSSID = 00:15:70:e6:6d:90, rssi = -41, rate = 54 (100%), channel = 1, encryption = 0x8, ap = 1, failures = 0, age = 9, ssid[11] = "TAO_Employe"
Oct 14 15:40:41 unknown kernel[0] <Debug>: AirPort: Link Up on en0
Oct 14 15:40:41 unknown kernel[0] <Debug>: en0: BSSID changed to 00:15:70:e6:6d:90
Oct 14 15:40:41 unknown eapolclient[410] <Notice>: eaptls_verify_server: server certificate not trusted, status 3 0
Oct 14 15:40:41 unknown Preferences[101] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
Oct 14 15:40:41 unknown Preferences[101] <Warning>: -[APOtherNetworkController keyboardWillShow:]
Oct 14 15:40:42 unknown kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
Oct 14 15:40:43 unknown Preferences[101] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x278960:<VPNBundleController: 0x278960>): _serviceCount(3), serviceCount(3), toggleInRootMenu(0), RootMenuItem(1)
Oct 14 15:40:45 unknown wifid[29] <Error>: WiFi:[340292445.893128]: Already associating, will not queue request.
Oct 14 15:40:46 unknown UserEventAgent[12] <Warning>: Unable to cancel system wake for 2011-10-14 15:40:31 +0200. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
Oct 14 15:40:51 unknown kernel[0] <Debug>: [6235.874083208]: AppleBCMWLANNetManager::handleDelayedPowerManagementTimeout(): Timed out waiting for IP address, entering powersave mode: 2 -
Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS
In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
on this computer" and un-checked "Use simple certificate selection".
My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
drop down.
Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
TIA,
-RickHi Rick,
Thank you for your patience.
According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Cisco ACS with External DB - EAP-TLS
Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Kenonly TLS *handshake* is completed/succcessful, but because user authentication fails,
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
EAP: EAP-TLS: Handshake succeeded
EAP: EAP-TLS: Authenticated handshake
EAP: EAP-TLS: Using CN from certificate as identity for authentication
EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
pvAuthenticateUser: authenticate 'jatin' against CSDB
pvCopySession: setting session group ID to 0.
pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
pvAuthenticateUser: authenticate 'jatin' against Windows Database
External DB [NTAuthenDLL.dll]: Creating Domain cache
External DB [NTAuthenDLL.dll]: Loading Domain Cache
External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Domain cache loaded
External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
External DB [NTAuthenDLL.dll]: User jatin was not found
pvCheckUnknownUserPolicy: setting session group ID to 0.
Unknown User 'jatin' was not authenticated
So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Regards,
Prem -
Eap-tls configuration assistance
I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
Scenario
MS CA (Windows 2008 Server)
MS DC (Windows 2003 Server)
ACS 4.2 (Windows 2003 Server)
WLC 4402 (5.2)
LWAP AIR-LAP1142N-N-K9
Client MS XP SP3
I have confirmed that the certficates are valid on both the ACS and client.
The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
I have configured ACS for Unkown User Policy and have the client e26458 in AD.
I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
debug dot1x events enable,debug dot1x states enable on the WLC.
frustratingly yoursI am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
1. Both your client and server certificates should be from same authority
2. You should have the same username in which the certificate issued should be in your ACS database.
3. Conform the validity of both your CA and device certificate
Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations -
EAP-TLS 802.1x certificate issue..
Hi All,
I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...
1) Generate Certificate Signing Request:
Certificate subject ---- CN=idea_acs_01
Private key file ---- privatekeyfile.pem
Private key password -- cisco
Retype private key password -- cisco
Key length --- 1024
Digest to sign with --- SHA1
Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded
certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.
Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.
2)Install ACS Certificate:
Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:
"Unsupported private key file format."
m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.
Can anyone guide me whats the issue. Thanks in advance..
Regards,
PiyushHave you looked at this:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
Try to open up the certificate and verify that it looks something like this:
-----BEGIN CERTIFICATE-----
IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
eUv4viaap9fTfcVM=
-----END CERTIFICATE----- -
EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s
We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
FabianThe policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU.
Maybe you are looking for
-
Let me explain. I have an HP 2000 series laptop running Windows 7 Home premium with a 500gb hard drive. I currently have Adobe Photoshop CS4 on my computer but I uninstalled it first before downloading the trial of CC. I figured when my 30 day Photos
-
Hi. Since upgrading to Mavericks (inc. latest update today), a perfectly harmonious environment of Entourage > Apple Calendar > Gmail > Android phone has fallen apart. I understand that this is down to Apple removing local sync services in the Maveri
-
I am trying to figure out what I have wrong... The below formula allows me to drill down (little yellow arrow beside my doc type column) and see journal entries, and incoming payments, but I get errors for Credit Memos and Invoices. Both the Doc Type
-
Need clarification on ANSI Joins
Hi All, I need some clarification on the ANSI Join which I build to avoid an error when I am trying to execute the same in regular join. With Regular join I am getting the error ORA-01417: a table may be outer joined to at most one other table. Regul
-
Best way to back up both and iMac and MacBook Pro
What's the best/simplist solution for routine backing up my 2012 iMac and 2011 MacBook Pro ? I'd like to be able to sync the Pro with the iMac and then maybe just have to backup the iMac.