Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISE authentication failed for Win XP SP3

Hello,

I have some trouble this Win XP wired Client authentication. With Win7 everything works well.

ISE 1.2 (patch 4)

Switch: 2960 / 2960S (15.0.(2)SE2)

Authentication details:

Event:

5400 Authentication failed:

Failure Reason

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

Resolution

Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

I try to disable validate server certificates on Win XP Clients, but it won´t work for me.

Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.

Any idea?

thanks

16 REPLIES
New Member

Re: Cisco ISE authentication failed for Win XP SP3

Does the default network access allow PEAP v0? Seems I had to enable that for XP.

Sent from Cisco Technical Support iPad App

New Member

Re: Cisco ISE authentication failed for Win XP SP3

Thanks, that´s a good point. It wasn´t enabled, but it don´t solve my problem.

Re:Cisco ISE authentication failed for Win XP SP3

Are you using group policies to hand down the network settings? If so are you using gpmc 2012?

Thanks


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
New Member

Re:Cisco ISE authentication failed for Win XP SP3

we are using win server 2008 for the xp clients and win server 2008 r2 for the win 7 clients for gpo rollout.

Cisco ISE authentication failed for Win XP SP3

I have seen issues where the group policy configuration on windows 2008R2 as well. Let me know if you can confirm the version, here is a thread that will help.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/aff2db25-f8fd-41d0-8c87-1fd7bd849ebb/validate-server-certificate-group-policy-xp-sp3-cant-uncjeck-option?forum=winserverGP

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Cisco Employee

Cisco ISE authentication failed for Win XP SP3

If this is a windows xp SP 3, see if the following hotfix is installed:

http://support.microsoft.com/kb/960655

If not installed then install it and restart the xp machine. See if the issue is still present.

New Member

Cisco ISE authentication failed for Win XP SP3

@Tarik Admani: We saw the issue described in your link. Because of that we set up a win 2008 server for the xp clients.

@Robert Salazar: Thanks, i´ll check if this hotfix is installed.

New Member

Cisco ISE authentication failed for Win XP SP3

Hotfix is installed, but issue is still present.

Clients and ISE are configured to do both user- and machineauthentication.

Maybe win xp can only run machineauthentication?

Many Thanks

New Member

Cisco ISE authentication failed for Win XP SP3

What certificate is in play here?  The XP machine should have a root certificate and be able to trust the ISE certificate.  When I saw the "11514 Unexpectedly received empty TLS message; treating as a rejection by the client" message, it was a certificate issue.  In XP's Protected EAP Properties I would look to make sure that the root certificate that signed the ISE ID certificate is selected.  Have you verified that?


New Member

Cisco ISE authentication failed for Win XP SP3

The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.

Are there any differences between xp client config and win7 client config?

thanks,

New Member

Cisco ISE authentication failed for Win XP SP3

If you use XP there is a process you have to go through to enable machine authentication.  Otherwise you're going to use user authentication.

http://support.microsoft.com/kb/929847

I'm not sure what you're running into with the certificate, but maybe try to setup a windows CA and enroll ISE with it.  It's not that difficult to lab that up. 

dal
New Member

Re: Cisco ISE authentication failed for Win XP SP3

Hi.

Under Administration -> Certificates -> Local Sertificates, find your self signed certificate, and click edit.

Under protocols, is EAP: Use certificate for EAP protocols that use SSL/TLS tunneling checked?

- Øystein

New Member

Re: Cisco ISE authentication failed for Win XP SP3

Yes it's checked.

Sent from Cisco Technical Support iPhone App

dal
New Member

Re: Cisco ISE authentication failed for Win XP SP3

I have never tried certificate authentication with a self signed certificate before.

But in my mind, this is what you need:

- a CA certificate

- a client certificate issued to ISE, typically a web server certificate

- at least a machine certificate for the client.

The certificates for both ISE and the client must be issued from the same CA.

The CA certificate also needs to be installed on both ISE and the client.

New Member

Re: Cisco ISE authentication failed for Win XP SP3

Maybe that wasn´t clear at all. Client wired authentication is done with peap. So I dont need a client maschine certificate. The Client only needs a ISE certificate (the self-signed in my case) because validate server certificates is checked.

New Member

Cisco ISE authentication failed for Win XP SP3

Are you able to get your hands on a different machine to test? I think the russian settings is what is causing the confusion with me in order to understand the supplicant settings. I do not have my hands on an XP client but see if you can use both machine or user authentication and see if that changes your luck?

1532
Views
0
Helpful
16
Replies
CreatePlease login to create content