Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with EAP-TLS authentication

Experts,

I'm struggling to find an issue with the EAP-TLS authentication. It seems the AAA sends the request for the client certs three times and then ends the conversation. I verified that the client sends the certificates. The obvious conclusion is that the client certs are somehow incorrect but how do I debug a problem like this? (AAA log below)

Any assistance appreciated.

Chris

AAA log:

May 18 14:55:25 ss-aaa-01 radiusd[26593]: [ID 376206 local1.info] INFO RADOP(147) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Sending TLS start for EAP-Type=TLS to client.

May 18 14:55:25 ss-aaa-01 radiusd[26593]: [ID 929614 local1.notice] NTCE RADOP(271) Performing OTA provisioning for user 001D88093B2C from 127.0.0.2[]

May 18 14:55:25 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=9) challenged.

May 18 14:55:26 ss-aaa-01 radiusd[26593]: [ID 447184 local1.info] INFO RADOP(149) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Entering TLS state=certificate request for EAP-type=TLS

May 18 14:55:26 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=125) challenged.

May 18 14:55:27 ss-aaa-01 radiusd[26593]: [ID 727110 local1.info] INFO RADOP(148) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Sending next fragment for EAP-Type=TLS to client.

May 18 14:55:27 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=9) challenged.

May 18 14:55:28 ss-aaa-01 radiusd[26593]: [ID 727110 local1.info] INFO RADOP(148) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Sending next fragment for EAP-Type=TLS to client.

May 18 14:55:28 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=9) challenged.

2 REPLIES
New Member

Re: Problem with EAP-TLS authentication

attached a more detailed trace log.

Cisco Employee

Re: Problem with EAP-TLS authentication

Chris,

As per your query,  we require certificate on client, if we want to deploy EAP-TLS. Basically there are 3 certificates in this scenerio.


[1] CA root certificate

[2] Server Certificate (Issued by same CA)

[3] Client Certificate (Issued by same CA)



[1] and [2] need to be installed on ACS server.

[1] and [3] need to be installed on Client.



In this method, Server will first validate client by verifying that it has a valid certificate issued by CA. Then Client will validate certificate issued to ACS server by CA. After that a session will be created, and all communication will take place between ACS and client through an encrypted tunnel.


Since this is not working in your scenarion then you need to upload the package.cab file from the ACS for the RCA. Do you see "SSL handshake failure error message in the ACS reports and activity > failed attempts.


If you are not aware how to generate package.cab file from the ACS on full logging level then please let me know what platform are we running on, Is that ACS appliance or ACS windows, I will send you the steps.


You may go through the below listed guide

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml


HTH


JK


Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
347
Views
0
Helpful
2
Replies
CreatePlease to create content