Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
0
Helpful
2
Replies

802.1x with EAP-TLS Fails on Wired

volven.didata
Level 1
Level 1

‎10-26-2009 08:34 AM - edited ‎03-06-2019 08:18 AM

Dear Colleagues,

I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...

Setup :

1. Radius Server - Cisco ACS 1113 Engine

2. Authenticator - Cisco 6509 Switch

3. Supplicant - Windows XP SP2/3

Problem:

1. Supplicants fail to authenticate using EAP-TLS as the authentication method.

Errors Seen:

1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.

2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490

3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”

Other Information:

1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.

2. ACS has certificates issued by 3rd Party Root CA - Geotrust.

3. Clients have Certs issued by clients own CA infrastructure.

4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.

5. PEAP works fine on wired.

Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.

Thanks

Volven

Labels:
0 Helpful
2 Replies 2

trdheeraj
Level 1
Level 1

‎10-27-2009 06:01 PM

Hi,

A failure code 4 indicates that, the radius server receives a accounting request on a autentication port. By RFC all accounting request should go to port 1812 and accounting request should go to 1813.

0 Helpful

volven.didata
Level 1
Level 1
In response to trdheeraj

‎10-27-2009 06:13 PM

Hello Dheeraj, that does not seem to be the case, as the radius configs are set on the Switch and not on the end points.

A quick update to my situation though....

1. Windows XP Supplicant connected behind a Cisco IP Phone does not work with EAP-TLS (Certificates) but works fine when PEAP is used at the Auth method.

2. Windows XP Supplicant connected without the IP Phone on the same port works fine with EAP-TLS.

3. Juniper Supplicant connected behind a Cisco IP Phone works fine with EAP-TLS>

4. The error seen on the switch when EAP-TLS authentication is attempted by windows supplicant while connected behind the IP Phone - “dot1x-err (port number of the switch) : Invalid EAPOL packet length = 1490

Seems to me like an MTU issue, however not sure how to address that...

Thanks

Volven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card