https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/m-p/1932768#M221950 <P>I know this is an old thread but I just had the same behavior as OP with freeRadius 3.0.9 and 8845 phones running 10.3.16 on a 10.5 cluster so... still relevant.</P> <P></P> <P>I found the following in the phone console logs:</P> <P>5840 ERR Nov 14 23:25:51.242806 PAE: -Total fragmented length(1616) doesn't match expected length(1612)</P> <P></P> <P>I was able to resolve the problem by adding &nbsp;include_length = no in mods-available/eap file under the tls section.</P> Sun, 15 Nov 2015 08:32:07 GMT Cliff Campbell 2015-11-15T08:32:07Z https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/m-p/1932767#M221915 <P>Hello, </P><P></P><P>I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).</P><P>The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.</P><P></P><P>While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE. </P><P></P><P>Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.</P><P></P><P>What was done:</P><P></P><P>- set up freeradius with EAP-TLS configuration, trusting both cisco CA root&nbsp; and manufacturing root.</P><P>- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)</P><P>- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)</P><P></P><P>What I can see while running a wireshark trace on freeradius is:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - both parties negotiate properly that they will engage in EAP-TLS.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - they&nbsp; start the TLS handshake</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - Client (phone) never sends its certificate (MIC) to the server.</P><P>&nbsp;&nbsp;&nbsp;&nbsp; - Client restarts EAP-TLS negotiation and goes on and on.</P><P></P><P>Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).</P><P></P><P>Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.</P><P>Phone firmware is 9.2(3) and callmanager 8.6</P><P></P><P>Thanks</P><P></P><P>Gustavo Novais</P> Mon, 11 Mar 2019 01:55:12 GMT https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/m-p/1932767#M221915 Gustavo Novais 2019-03-11T01:55:12Z https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/m-p/1932768#M221950 <P>I know this is an old thread but I just had the same behavior as OP with freeRadius 3.0.9 and 8845 phones running 10.3.16 on a 10.5 cluster so... still relevant.</P> <P></P> <P>I found the following in the phone console logs:</P> <P>5840 ERR Nov 14 23:25:51.242806 PAE: -Total fragmented length(1616) doesn't match expected length(1612)</P> <P></P> <P>I was able to resolve the problem by adding &nbsp;include_length = no in mods-available/eap file under the tls section.</P> Sun, 15 Nov 2015 08:32:07 GMT https://community.cisco.com/t5/network-access-control/eap-tls-w-freeradius-failing-phone-doesn-t-present-client/m-p/1932768#M221950 Cliff Campbell 2015-11-15T08:32:07Z