Wireless clients empty TLS message via one WLC

Unanswered Question
Jul 15th, 2014
User Badges:

Hi all,

We have ACS 5.1, WLC 7.0.98.0 and EAP-TLS. Wireless clients trying to access the network via one of our WLC 5508s are not getting authenticated. I can see the following on ACS:

"11514 Unexpectedly received empty TLS message; treating as a rejection by the client"

which usually means certificate errors / CA problems but clients coming on via other controllers are fine. Any suggestions?

I saw another post which suggested to check the time and discovered that the controller in question was an hour out as the time delta was not set the same as other controllers. However correcting this has not helped.

Many Thanks

Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Tue, 07/15/2014 - 09:06
User Badges:
  • Cisco Employee,

Could you please check the validity of the server/identity certificate on ACS 5.1

To me it seem that server certificate has been expired. 

What EAP flavor are you using peap-mschap?

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

mohanak Wed, 07/16/2014 - 01:42
User Badges:
  • Gold, 750 points or more

Certificate-Based User Authentication via Supplicant Failing

 
 

Symptoms or Issue

 

User authentication is failing on the client machine, and the user is receiving a "RADIUS Access-Reject" form of message.

 

Conditions

 

(This issue occurs with authentication protocols that require certificate validation.)

 

Possible Authentications report failure reasons:

 

"Authentication failed: 11514 Unexpectedly received empty TLS message; treating as a rejection by the client"

 

"Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate"

 

Click the magnifying glass icon from Authentications to display the following output in the Authentication Report:

 

12305 Prepared EAP-Request with another PEAP challenge

 

11006 Returned RADIUS Access-Challenge

 

11001 Received RADIUS Access-Request

 

11018 RADIUS is re-using an existing session

 

12304 Extracted EAP-Response containing PEAP challenge-response

 

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

 

12512 Treat the unexpected TLS acknowledge message as a rejection from the client

 

11504 Prepared EAP-Failure

 

11003 Returned RADIUS Access-Reject

 

11006 Returned RADIUS Access-Challenge

 

11001 Received RADIUS Access-Request

 

11018 RADIUS is re-using an existing session

 

12104 Extracted EAP-Response containing EAP-FAST challenge-response

 

12815 Extracted TLS Alert message

 

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate

 

11504 Prepared EAP-Failure

 

11003 Returned RADIUS Access-Reject

 

Note This is an indication that the client does not have or does not trust the Cisco ISE certificates.

 

Possible Causes

 

The supplicant or client machine is not accepting the certificate from Cisco ISE.

 

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

Actions

This Discussion