Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EAP-TLS configuration issues

Hi ,

I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .

Many thanks

New Member

Re: EAP-TLS configuration issues

Try using this command to trouble shooot your EAP-TLS issue, telnet to your AP and try to associate it client. use this commanf

:eap_diag1_on - turn on eap diag

:eap_diag1_off - turn off eap diag

Hope this will help



New Member

Re: EAP-TLS configuration issues

Hi ,

These debugs are for an AP350 , I am using an AP1100.

I have subsequently managed to get EAP-TLS working on XP.

The problem I am encountering now is that when I log onto the machine locally everything works fine. When I authenticate to the domain I keep getting " domain unavailable " error message.

I think the reason for this is that because the wireless network is not authenticated and up and running when you enter your authentication details on XP to logon to the domain. The XP machine see's it as having no network connection and returns the domain unavailable message.

Does anyone have any ideas with regards to this problem ?

New Member

Re: EAP-TLS configuration issues

have you installed the user-certificate for the right user?

log on to the computer with wired connection to the domain and verify the certificate

eap-tls starts after you log into the pc. for in deep troubleshooting you can use the cmd-line netsh ras set tracing * enable. see also

verify at the ap that 802.11 (authenticated, associated) works well, before troubleshooting eap-tls

use ethereal or sniffer to verify communication between ap and radius and look for radius accept or reject messages

New Member

Re: EAP-TLS configuration issues

I have subsequently resolved this issue and am able to successfully authenticate.

What I am struggling with now is to get the ACS authentication integrated with Microsoft Active directory.

For example when I reset the wireless users domain password, it has no effect I am still able to logon to the wireless network with the old password.

Yet if I connect that same machine via wired ethernet I am immediately prompted to change my password.

Have you any ideas on how to resolve this problem ?

Thanks for your reply

New Member

Re: EAP-TLS configuration issues


unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.

I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.

I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.

I have see the following messages in EAPOL.log

(Win XP Prof. with SP1)

[1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL

[1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0

Please, could you tell me your workaround?

Thanks in advance.

New Member

Re: EAP-TLS configuration issues


Are you using Cisco Secure ACS for radius authentication ? If so try enabling debugging on the radius and see if you are getting authentication failures. If so I would probably try reinstalling the server and client side certificate, and running the debug again to see if the client authenticates.

I know the CN= field of the certificate on the client must correspond to the username being used to log onto the machine, you could possible check that out aswell.