802.1x with EAP-TLS Fails on Wired

Unanswered Question
Oct 26th, 2009
User Badges:

Dear Colleagues,


I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...


Setup :

1. Radius Server - Cisco ACS 1113 Engine

2. Authenticator - Cisco 6509 Switch

3. Supplicant - Windows XP SP2/3


Problem:


1. Supplicants fail to authenticate using EAP-TLS as the authentication method.



Errors Seen:


1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.


2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490


3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”



Other Information:


1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.


2. ACS has certificates issued by 3rd Party Root CA - Geotrust.


3. Clients have Certs issued by clients own CA infrastructure.


4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.


5. PEAP works fine on wired.



Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.


Thanks


Volven

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion