Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

Hi Pros,

               I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.

When I check my log in the failed attemps, there is what I found:

Date TimeMessage-TypeUser-NameGroup-NameCaller-IDNetwork Access Profile NameAuthen-Failure-CodeAuthor-Failure-CodeAuthor-DataNAS-PortNAS-IP-AddressFilter InformationPEAP/EAP-FAST-Clear-NameEAP TypeEAP Type NameReasonAccess DeviceNetwork Device Group
06/23/201017:39:51Authen failed000e.9b6e.e834Default Group000e.9b6e.e834(Default)EAP-TLS or PEAP authentication failed during SSL handshake....110110.111.22.24....25MS-PEAP..wbr-1121-zozo-testOffice Networ

06/23/201017:39:50Authen failedgroszozo@xxx.comDefault Group000e.9b6e.e834(Default)EAP-TLS or PEAP authentication failed during SSL handshake....109810.111.22.24....25MS-PEAP..wbr-1121-zozo-testOffice Network

groszozo@xxx.com

= my windows active directory name

1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....

2. Why sometimes it just shows the MAC of the client for username?

3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?

2. Secondly, When I check in pass authentications... there is what i saw

Date TimeMessage-TypeUser-NameGroup-NameCaller-IDNAS-PortNAS-IP-AddressNetwork Access Profile NameShared RACDownloadable ACLSystem-Posture-TokenApplication-Posture-TokenReasonEAP TypeEAP Type NamePEAP/EAP-FAST-Clear-NameAccess DeviceNetwork Device Group
06/23/201017:30:49Authen OKgroszozoNOC Tier 210.11.10.105110.111.22.24(Default)................wbr-1121-zozo-testOffice Network
06/23/201017:29:27Authen OKgroszozoNOC Tier 210.11.10.105110.111.22.24(Default)................wbr-1121-zozo-testOffice Network


In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.

Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.

Thanks in advance for your help,

Crazy---

717
Views
0
Helpful
0
Replies