Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

12511 Unexpectedly received TLS alert message; treating as a rejection by the client

Larry Bernard
Level 1
Level 1

‎06-30-2014 03:39 PM - edited ‎03-10-2019 09:50 PM

ISE Version: 1.2.0.899 (Running in VMware)

WLC: 5508 ver 7.6.100.0

I have a WLAN created that uses dot1x authentication. The WLAN points to ISE for RADIUS AAA. I cannot get any windows computer to connect to it (7,8 or 8.1 tested), but android, ios and osx are all able to connect. I have a 3rd party cert (GoDaddy) installed in my local store in ISE, which is valid and not expired. I do not understand why windows machines are failing.

I am migrating to this new ISE server and my old ISE server has the same configuration (as far as I can tell) for this WLAN and it works for all devices, including windows. The difference is that it is on a different domain (the reason for the migration is we changed domains).

 

Here is the ISE error:

Event: 5400 Authentication failed

Failure Reason: 12511 Unexpectedly received TLS alert message; treating as a rejection by the client

Resolution: Ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Root cause: While trying to negotiate a TLS handshake with the client, ISE received an unexpected TLS alert message. This might be due to the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

 

Here is the WLC error:

AAA Authentication Failure for UserName:Domain\User User Type: WLAN USER

 

Here is the windows event viewer error:

Source:        Microsoft-Windows-Security-Auditing
Event ID:      5632

Description:
A request was made to authenticate to a wireless network.

Subject:
    Security ID:        NULL
    Account Name:        User
    Account Domain:        Domain

Network Information:
    Name (SSID):        IT-Test

Additional Information:
    Reason Code:        Explicit Eap failure received (0x50005)
    Error Code:        0x80420014
    EAP Reason Code:    0x80420100
    EAP Root Cause String:    Network authentication failed\nThe user certificate required for the network can't be found on this computer.

    EAP Error Code:        0x80420014

 

On the ISE server that is working you are presented with a window that asks you to connect or terminate based on the certificate not being validated. I don't know why that isn't happening with this new ISE server, it just fails without prompting the user to connect or terminate. Both certs are from GoDaddy.

A difference between the certs is the old has a cert that was generated through ISE and the new server has an imported wildcard cert.

Anyway, I hope that is enough information to understand the issue. I appreciate the time anyone takes in assisting me with this issue. I did setup a copy of the WLAN so that I can test as needed and not have to wait for a maintenance window.

4 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic