Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Hi,

We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.

We just replaced RADIATOR with Cisco ACS 5.2 .

Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client

Description:

While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.

Resolution Steps :

Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!

Most of the computers (hundreds of Windows XP and Windows 7) got no problem.

ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".

If it was a known issue, we would have this error for other computer but we don't have (fortunately )

Wireless profile is sent to computers using GPO so they trust ACS server certificate...

Do you know how to correct this issue on XP supplicant? I dont find this issue on Google

Thanks for your help,

Patrick

Everyone's tags (7)
4 REPLIES

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Do you have any patches installed on your ACS.

Thanks

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Hi Tarik,

Patch 10 is installed on ACS 5.2.

Thanks for your help,

Patrick

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Patrick,

One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.

If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Hi Tarik,

Thanks for your answer.

I cant physically have one of the laptops

I will try to contact one of the owners but I think they can't uncheck "validate server certificate" because WiFi profile is sent by GPO.

If I succeed to change this option, I will contact you again.

Thanks again,

Patrick

1824
Views
0
Helpful
4
Replies