WLC configuration for EAP-TLS

Hi,
I am tring to set up a Cisco WLC 2006 with EAP-TLS + WPA.
Everytime I try to log in to the network my wireless card gives a message saying " validating user", but nothing else happens.
I cannot find any manual for configuring this. Can anyone perhaps assist?
Regards
Dean

More details would be helpful:
What RADIUS server are you using, what CA are you using, where (what VLAN) they located, which port of the WLC are you connected to (RADIUS/CA)?
Are you using the Vendor's client software or MS wireless zero config? Which version? or Linux? Which distribution/version?
Having this info will be a good start ...
Let us know
Scott

Similar Messages

Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?

Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik

Need configuration guide for EAP-TLS

I need to setup the AP-1200 I have for EAP-TLS. Anyone know of some good documentation that I can use to configure this? I already have the CA and RADIUS servers up and going.
Thanks in advance for your help.

Here are some docs that I used when setting up EAP-TLS with my Cisco 350 APs and Cisco 340/350 wireless client adapters. I made notes in them but they were derived from Cisco support originally. I've found that Win2K clients have more trouble with authenticaion because they must have the 802.11x engine installed (MS update/hotfix) which I've found only can be installed on clients running SP3 (not SP2 or even SP4). Kinda weird. Anyways, you'll probably have the best luck with XP clients because of its native 802.11x support that's built in.
Hope that helps...

CA Requirement for EAP-TLS

Hello All,
I am aware there is a Cisco Requirement for "User certificates " and "AAA certificates" used in EAP-TLS. Does anyone know what the requirements are for the CA cetificates in EAP-TLS please?
Thanks.

Hi,
You need to have 2 certificates on client and your radius server.
First certificate is the "Root Cert" which is the same on both devices.
The second certificate is the "User Cert" which is unique for every client and aaa server.
Below you can find more details for EAP-TLS:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml
Regards.

Issue with iphone configuration utility: eap-tls certificate selection

hello,
I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
here's my issue:
I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
i am wondering if anyone has similar issue and how to fix this.
thanks,
-ns

the configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back.

EAP Authentication Configuration for EAP-FAST and PEAP

Hi Everyone,
I pretty much got EAP working, however using LEAP
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xD

EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation.
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed.
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password back to AD for example.
Hope this helps ..

5508 - iPad getting disconnected from WLAN Using EAP-TLS

We are seeing an issue with an ipad connecting to a WLAN configured for EAP-TLS using ISE 1.2, getting disconnected. The ipad will hop top another SSID. It will connect back to the other ssid when selected. Any ideas? I have a debug client for when this happened.
*apfMsConnTask_0: Apr 08 14:03:57.508: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_7: Apr 08 14:04:57.855: Association request from the P2P Client Process P2P Ie and Upadte CB
*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Association received from mobile on BSSID 54:78:1a:2f:84:56
*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Global 200 Clients are allowed to AP radio
*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Max Client Trap Threshold: 0 cur: 4
*apfMsConnTask_5: Apr 08 14:05:17.345: 04:54:53:7b:9e:7a Rf profile 600 Clients are allowed to AP wlan
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 172.30.230.213 RUN (20) Skipping TMP rule add
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a apfMsRunStateDec
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 172.30.230.213 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Complete to Mobility-Incomplete
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Reached ERROR: from line 6355
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [54:78:1a:2f:84:50]
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 730
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a Re-applying interface policy for client
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
*apfMsConnTask_5: Apr 08 14:05:17.346: 04:54:53:7b:9e:7a 0.0.0.0 DHCP_REQD (7) Changing IPv6 ACL 'none' (ACL ID

Use profiles for the wifi settings on the iPad
A reset of network settings will clear the network history, but the profile will add it back in automatically
http://images.apple.com/ipad/business/docs/iOS_Deployment_Technical_Reference_EN_Feb14.pdf
Great Cisco doc for BP and troubleshooting of Apple devices:
Enterprise Best Practices for Apple Mobile Devices on Cisco ...
Make sure the app uses URIPersistWifi call
https://developer.apple.com/library/ios/documentation/iphone/conceptual/iphoneosprogrammingguide/PerformanceTuning/PerformanceTuning.html

Cisco WLC EAP-TLS configuration

I need help. I'm trying to configure virtual WLC for EAP-TLS authentication. I configured that, but I don't know where I can set CRL (certificate revocation list) or OCSP (Online Certificate Status Protocol). I must to use this technolodgy for deny access for laid-off employees.

CRL and OCSP are both part of the certificate itself. Your CA must add the URL for these services when the cert is generated. The WLC does not get configured with the URL for these services. The WLC simply knows the Radius Server IP(s) and has the root cert installed so it can handle the TLS authentication.

WLC EAP-TLS

Hi,
My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.
So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.
•1.     What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
•2.     Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
•3.     What Certificate should be installed on Client.
•4.     What should be the client PC security setting for EAP-TLS
I had gone through the following Docs for reference.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
https://supportforums.cisco.com/docs/DOC-24723
Thanks
Nibin

Dear Philip,
Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
Thanks
Nibin Rodrigues

EAP-TLS on WLC 5508 agains IAS RADIUS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi, anyone experienced issue like this?
I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
I got “Access-Accept” debug message received from RADIUS server.
However the wireless client failed to connect.
Below is partially the debug message from the WLC
Any feedbacks are welcome
*Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
*Oct 07 15:08:24.403:     protocolType.................................0x00140001
*Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
*Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
*Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b f7 c9 71 dd 32 cb b7 0a .e........q.2...
*Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f 73 74 2f 49 44 31 30 2d R..>."host/ID10-
*Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 65 73 74 0AFJ031.euc.test
*Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13 30 30 2d 31 39 2d 37 64 01.com..00-19-7d
*Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33 62 1e 1a 30 30 2d 33 61 -72-b4-3b..00-3a
*Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34 36 2d 35 30 3a 57 57 53 -98-95-46-50:TES
*Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00 01 04 06 0a 56 0c d2 20 300.........V...
*Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43 30 30 31 1a 0c 00 00 37 .IDHOJXC001....7
*Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06 06 00 00 00 02 0c 06 00 c...............
*Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00 13 4f 27 02 03 00 25 01 ...=.....O'...%.
*Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31 30 2d 30 41 46 4a 30 33 host/ID10-0AFJ03
*Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65 73 74 6c 65 2e 63 6f 6d 1.euc.nestle.com
*Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52 8e 63 0f 2f 87 a5 78 53 P...T.&R.c./..xS
*Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
*Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35 f7 be 57 75 43 ce 19 ca .e.4>.g5..WuC...
*Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1 03 a2 00 00 01 37 00 01 .]....1......7..
*Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b 13 1e 16 37 00 00 00 00 .V.i..c....7....
*Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
*Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
*Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
*Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
*Oct 07 15:08:24.405:     structureSize................................78
*Oct 07 15:08:24.405:     resultCode...................................0
*Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
*Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.405:     Packet contains 1 AVPs:
*Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
    source: 4, valid bits: 0x0
    qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
    source: 4, valid bits: 0x0
    qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
*Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
*Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
*Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
*Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f 6d                       est01.com
*Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f 6d                       est01.com
*Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

Thanks for your reply jedubois
Really appreciate it.
I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
Below are the outputs for the eap advanced config
(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 2
(Cisco Controller) >
Any other suggestion?

WLC 4400: EAP-TLS

Good day!
I tried to set up the EAP-TLS according to
- http://cciew.wordpress.com/2010/06/10/eap-tls-on-the-wlc/
- http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
- Jeremy video about EAP-TLS
The main question is about certificates.
Tell me if I am wrong - There are two types of certificates that we need to upload to the WLC:
1) Device certificate - this is quite clear, OpenSSL, Certificate Request and e.t.c.
2) CA Root certificate - if there is only one CA Root than clear, but if we have the following chain
Root CA -> Intermediate CA -> WLC
a) Do we need to upload the whole chain "Root CA -> Intermediate CA" to the WLC ?
b) If yes, what format is it going to be? maybe smth like this
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

Nicolas, thank you for your reply!
1)
I've already seen the article, but now notice some interesting fact:
"Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
Regarding this note, do we need to bundle any certificates for EAP-TLS scheme?
2)
On the WLC we have an opportunity to download two types of Certificates:
- Vendor Device Certificate - it is made of CSR request and then uploaded to the WLC in .pem format
- Vendor CA Certificate - this is more interesting:
Yesterday I bundled Root and Intermediate CA Certificates in one .pem file, then uploaded it to the WLC as "Vendor CA Certificate" - the result was suсcessful! During the EAP-TLS auth process SSL Handshake completed sucessfully and I connected to my EAP WLAN!
In the controller Client Properties I saw the EAP TLS>
Everything seems to be ok, strange...
May be, the chain of Root and Intermediate CA Certificates is the redundant information, but the scheme seems to be working!

How to configure EAP-TLS OTA

Hello, I am trying to configure wi-fi setting OTA on iPhone/iPad. The certificate enrolment goes thru fine and the device signs the final request with newly acquired certificate. I am stuck in the last phase i.e. pushing the final mobileconfig containing EAP-TLS setting. It seems the configuration is accepted even though it is not signed or encrypted. Also, the configuration includes the root CA certificate which issued the device certificate as well as identity certificate (which is the newly issued certificate) for EAP-TLS setting . The device complains about not able to connect using the pushed profile. Is it okay to send root CA certificate in the mobileconfig and will it be trusted? Also, what is the encoding format for the certificate?
Thanks for any help.

Here is how it's work for me :
server radius configured to EAP with certificate authentication (not PEAP or anything else)
send USER certificate by email (run certmgr.msc > personal certificate > the one with your name > export with private key)
retrieve it on your iphone, click on it and install it on iphone
in the wifi connection tab, enter your username, and choose in 'mode" : EAP-TLS
in identity choose your user certificate.
It will connect and ask you to trust the authentication server certificate
putting root CA doesn't trust the authentication server for me in later IOS version (after 4.1)

LEAP EAP-TLS on WLC

Hi,
I need to deploy certificate based authentication for some Intermec client devices for a customer. I am planning to use a separate SSID for this. There are other already existing SSID's which have radius based authentication.
question : if i dont select any radius server for this eap tls ssid and select only 'LEAP' , will it work ? Or will the WLC still search for the already defined radius servers and fail authentication ?
question2 : if above is not possible, i will have to go for eap tls with ACS . anybody has got easy steps to get eap tls up and running ? (LAP 1252, wlc 4400, acs 4.1, windows CA )
regards
Joe

wireless wlc,
The WLC side and the radius side is basically setup the same as you would for PEAP. The only difference is if your policy you create in the radius specifies a certain eap type. If not, then you don't have to worry about that. The main thing is that you have a valid computer cert and users cert. You can verify this by the device wireless profile and on Windows 7 you select user authentication or computer authentication. If one works and the other doesn't, then you knop which cert is missing. Selecting user and computer will check for both. Vlaidat server certificate should only be cheked if the CA is in the Trusted Server Certificate Store. The CA must be trusted on the domain controller and the IAS, NPS server also.

EAP-TLS & Unknown User Policy

I setting up an WLC with the client using EAP-TLS (machine authentication only). We are using ACS 3.2 which is part of AD. The problem is that the ACS is being used to authorize users for Internet Access also.
So if I enable the Unknown User Policy to AD for EAP-TLS machine authentication, this will break what is being done for Internet Access.
Any ideas that don't include entering every machine and user name in the local database? I was wondering if I could setup a wildcard user of host/* that points to AD.
Is there a way to make this work without configuring the Unknown user policy to point to AD?
Thank you!

Log onto the ACS server itself as the local administrator.
Browse to the Bin directory in the ACS program directory.
Run the program there called CSSupport.
Select "Run Wizard" and click Next.
Check all the boxes and create the file for last 3 days and clickNext.
Again click Next.
Select "Set Diagnostic Log Verbosity to Maximum." and click Next.
Click Next, then click Finish.
In an environment where there is more than one global catalog server for the domain, ACS will not search for the secondary" catalog server if the "primary" goes down.
Condition: ACS is installed on a domain member server.
Workaround: Re-start csauth.exe.Let me know if restarting CSAuth makes any difference

ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

Hello,
Has anyone come across this error code before? I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
I setup 7925 phones for EAP-TLS using MIC. I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication". A Certificate Profile is configured matching Common Name and is added to the Identity Sequence. I got some additional attribute information, where there is a error message:
OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
Anyone know what this error means?

Yes,
That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
Installing the Authentication Server Root Certificate
The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
To install the certificate, follow these steps:
Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
Step 2 Go to the phone web page and choose Certificates.
Step 3 Click Import next to the Authentication Server Root certificate.
Step 4 Restart the phone.
Thanks,
Tarik Admani
*Please rate helpful posts*

WLC configuration for EAP-TLS

Similar Messages

Maybe you are looking for