Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS/802.1x auth

Hi everyone,


I have a weird problem and have difficulty troubleshooting it. First I will explain briefly my envrionnement :

I'm using WCS + 2 WLC in order to provide wireless for all people in the company (headquarter + outstations).

Basically I have configured a WLAN using 802.1x EAP-TLS  with SSID broacasted "CORP1" and authentication with Cisco Secure ACS 4.1.4.13.

I'm also using two ACS with same version in order to have redundancy.

Everything is working fine but now I have to do a little change :deploying the same corporate wireless but with another SSID in order to replace the CORP1 by CORP2 (in several outstations).

So the WLAN CORP1 and 2 have exactly the same configuration (just profile name and SSID are different).

Now the problem : when people try to connect to the CORP2 it's working for several of them but for the other it's not working. All client use the same kind of laptop with same configuration.

After few investigation I have found that the error is located on the ACS and I get the following error:

Authen session timed out: Challenge not provided by client

On client side using windows XP the status blocking at the step "Attempting to authenticate".

I tried to do the authentication on the first acs and then on the second but same issue.

I have done investigation with Wireshark and it seems that the computers  does'nt sent certificate :

12    0.909923    Cisco_XX:XX:XX    IntelCor_YY:YY:YY    TLSv1    Server Hello, Certificate, Certificate Request, Server Hello Done

13    0.918017    IntelCor_YY:YY:YY    Cisco_XX:XX:XX     EAP    Response, EAP-TLS [RFC5216] [Aboba]

nok1.jpg

And when it works correctly I have the following....:

ok1.jpg

So have you some ideas what's going on ? and possibility to help me to solve this problem ?

Of course if you need addtionnal information feel free to ask.

Many thanks in advance,

Philippe

1 REPLY
New Member

Re: ACS/802.1x auth

I tried to change the title of this message but without success (error) because now I don't think it's link to the ACS anymore.

But about my problem, it's still not solved but I have new information:

I tried to deploy my new SSID on another access point(same model) and try to connect to it : It works perfectly !

Then I try again to connect to my previous access point and it's working too...

The client sent correctly the certificate during the SSL Handshake....


I really don't understand why I have such behavior!

Then I took another pc from the pool of computer for which it's not working and ... it's still not working when I tried to connect to the new SSID on the first access point.

With these additionnal information have you an idea or what can I do to troubleshoot ?

Thanks in advance for your help,

Philippe.

696
Views
0
Helpful
1
Replies