Problem with EAP-TLS authentication

christian.scheid · ‎05-18-2010

Experts,

I'm struggling to find an issue with the EAP-TLS authentication. It seems the AAA sends the request for the client certs three times and then ends the conversation. I verified that the client sends the certificates. The obvious conclusion is that the client certs are somehow incorrect but how do I debug a problem like this? (AAA log below)

Any assistance appreciated.

Chris

AAA log:

May 18 14:55:25 ss-aaa-01 radiusd[26593]: [ID 376206 local1.info] INFO RADOP(147) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Sending TLS start for EAP-Type=TLS to client.

May 18 14:55:25 ss-aaa-01 radiusd[26593]: [ID 929614 local1.notice] NTCE RADOP(271) Performing OTA provisioning for user 001D88093B2C from 127.0.0.2[]

May 18 14:55:25 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=9) challenged.

May 18 14:55:26 ss-aaa-01 radiusd[26593]: [ID 447184 local1.info] INFO RADOP(149) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Entering TLS state=certificate request for EAP-type=TLS

May 18 14:55:26 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=125) challenged.

May 18 14:55:27 ss-aaa-01 radiusd[26593]: [ID 727110 local1.info] INFO RADOP(148) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Sending next fragment for EAP-Type=TLS to client.

May 18 14:55:27 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=9) challenged.

May 18 14:55:28 ss-aaa-01 radiusd[26593]: [ID 727110 local1.info] INFO RADOP(148) auth for 001D88093B2C@clearwire-wmx.net from 127.0.0.2[] challenged: Sending next fragment for EAP-Type=TLS to client.

May 18 14:55:28 ss-aaa-01 radiusd[26593]: [ID 695967 local1.info] INFO RADOP(23) auth for 001D88093B2C@clearwire-wmx.net from 172.27.134.249[] via proxy 127.0.0.2[samsung-strip-keys-mppe] (RTT=9) challenged.

christian.scheid · ‎05-18-2010

attached a more detailed trace log.

Jatin Katyal · ‎05-18-2010

Chris,

As per your query, we require certificate on client, if we want to deploy EAP-TLS. Basically there are 3 certificates in this scenerio.

[1] CA root certificate

[2] Server Certificate (Issued by same CA)

[3] Client Certificate (Issued by same CA)

[1] and [2] need to be installed on ACS server.

[1] and [3] need to be installed on Client.

In this method, Server will first validate client by verifying that it has a valid certificate issued by CA. Then Client will validate certificate issued to ACS server by CA. After that a session will be created, and all communication will take place between ACS and client through an encrypted tunnel.

Since this is not working in your scenarion then you need to upload the package.cab file from the ACS for the RCA. Do you see "SSL handshake failure error message in the ACS reports and activity > failed attempts.

If you are not aware how to generate package.cab file from the ACS on full logging level then please let me know what platform are we running on, Is that ACS appliance or ACS windows, I will send you the steps.

You may go through the below listed guide

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

HTH

JK

Do rate helpful posts-

~Jatin