I have some trouble this Win XP wired Client authentication. With Win7 everything works well.
ISE 1.2 (patch 4)
Switch: 2960 / 2960S (15.0.(2)SE2)
5400 Authentication failed:
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I try to disable validate server certificates on Win XP Clients, but it won´t work for me.
Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.
Does the default network access allow PEAP v0? Seems I had to enable that for XP.
Sent from Cisco Technical Support iPad App
Are you using group policies to hand down the network settings? If so are you using gpmc 2012?
Sent from Cisco Technical Support Android App
I have seen issues where the group policy configuration on windows 2008R2 as well. Let me know if you can confirm the version, here is a thread that will help.
*Please rate helpful posts*
If this is a windows xp SP 3, see if the following hotfix is installed:
If not installed then install it and restart the xp machine. See if the issue is still present.
@Tarik Admani: We saw the issue described in your link. Because of that we set up a win 2008 server for the xp clients.
@Robert Salazar: Thanks, i´ll check if this hotfix is installed.
Hotfix is installed, but issue is still present.
Clients and ISE are configured to do both user- and machineauthentication.
Maybe win xp can only run machineauthentication?
What certificate is in play here? The XP machine should have a root certificate and be able to trust the ISE certificate. When I saw the "11514 Unexpectedly received empty TLS message; treating as a rejection by the client" message, it was a certificate issue. In XP's Protected EAP Properties I would look to make sure that the root certificate that signed the ISE ID certificate is selected. Have you verified that?
The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.
Are there any differences between xp client config and win7 client config?
If you use XP there is a process you have to go through to enable machine authentication. Otherwise you're going to use user authentication.
I'm not sure what you're running into with the certificate, but maybe try to setup a windows CA and enroll ISE with it. It's not that difficult to lab that up.
Under Administration -> Certificates -> Local Sertificates, find your self signed certificate, and click edit.
Under protocols, is EAP: Use certificate for EAP protocols that use SSL/TLS tunneling checked?
I have never tried certificate authentication with a self signed certificate before.
But in my mind, this is what you need:
- a CA certificate
- a client certificate issued to ISE, typically a web server certificate
- at least a machine certificate for the client.
The certificates for both ISE and the client must be issued from the same CA.
The CA certificate also needs to be installed on both ISE and the client.
Maybe that wasn´t clear at all. Client wired authentication is done with peap. So I dont need a client maschine certificate. The Client only needs a ISE certificate (the self-signed in my case) because validate server certificates is checked.
Are you able to get your hands on a different machine to test? I think the russian settings is what is causing the confusion with me in order to understand the supplicant settings. I do not have my hands on an XP client but see if you can use both machine or user authentication and see if that changes your luck?