topic Re: EAP_TLS issue. in Network Access Control

EAP_TLS issue.

Dustin Anderson — Mon, 27 Mar 2017 18:47:12 GMT

I am having an issue with getting a Mac to authenticate into ISE.

I see it connecting, but with the following error.

12521 EAP-TLS failed SSL/TLS handshake after a client alert

Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

I have the root and subca's installed on the mac, and ISE.

OpenSSLErrorMessage

SSL alert: code=0x100=256 ; source=remote ; type=warning ; message="close notify"

I'm not very familiar with a Mac, does anyone know where/how to see errors on them as it seems to be closing the connection.

Re: EAP_TLS issue.

Oliver Laue — Tue, 28 Mar 2017 06:45:06 GMT

The diagnostic of a Mac is described in this article. https://support.apple.com/en-gb/HT202663

But if you would have a trust issue, the mac will normally prompt you with a decision if you want to trust the EAP Certificate. Did the mac maybe has a wrong setting for the Authentication of the SSID?

Re: EAP_TLS issue.

Dustin Anderson — Tue, 28 Mar 2017 14:47:50 GMT

This is actually a wired Mac.

We use 802.1x with PC's and this all works fine. For a Mac, they made a user cert to use on them and it uses EAP-TLS. The PC's use EAP-PEAP.

it seems like the client is not responding to the RADIUS access challenge.

12500	Prepared EAP-Request proposing EAP-TLS with challenge
12625	Valid EAP-Key-Name attribute received
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12502	Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800	Extracted first TLS record; TLS handshake started
12805	Extracted TLS ClientHello message
12806	Prepared TLS ServerHello message
12807	Prepared TLS Certificate message
12808	Prepared TLS ServerKeyExchange message
12809	Prepared TLS CertificateRequest message
12505	Prepared EAP-Request with another EAP-TLS challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12504	Extracted EAP-Response containing EAP-TLS challenge-response
12505	Prepared EAP-Request with another EAP-TLS challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12504	Extracted EAP-Response containing EAP-TLS challenge-response
12505	Prepared EAP-Request with another EAP-TLS challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12504	Extracted EAP-Response containing EAP-TLS challenge-response
12505	Prepared EAP-Request with another EAP-TLS challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12504	Extracted EAP-Response containing EAP-TLS challenge-response
12505	Prepared EAP-Request with another EAP-TLS challenge
11006	Returned RADIUS Access-Challenge
11001	Received RADIUS Access-Request
11018	RADIUS is re-using an existing session
12504	Extracted EAP-Response containing EAP-TLS challenge-response
12815	Extracted TLS Alert message
12521	EAP-TLS failed SSL/TLS handshake after a client alert
12507	EAP-TLS authentication failed
11504	Prepared EAP-Failure
11003	Returned RADIUS Access-Reject
5434	Endpoint conducted several failed authentications of the same scenario

Re: EAP_TLS issue.

Oliver Laue — Tue, 28 Mar 2017 14:55:51 GMT

was this setting deployed with a MDM or any other tool to the mac?

Re: EAP_TLS issue.

Dustin Anderson — Tue, 28 Mar 2017 15:07:19 GMT

I think they use JAMF to push settings. One thing I'm looking at is the keychain. The cert uses our old CA's, and ISE uses the new CA's. I've added the new CA's to the Mac, but noticed it says they are trusted for the user, not for all users. I'm wondering if it's not trusting ISE and ignoring the conversation. Issue is i'm not sure how to get the cert trusted for all users.

Re: EAP_TLS issue.

Oliver Laue — Tue, 28 Mar 2017 15:15:32 GMT

the trust can be set with the configuration profile which deploys the eap settings to the client.

If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.

If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.

described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21

Re: EAP_TLS issue.

Dustin Anderson — Tue, 28 Mar 2017 17:11:36 GMT

Thanks, I'll look into that.

Re: EAP_TLS issue.

gbekmezi-DD — Tue, 28 Mar 2017 17:36:17 GMT

Does ISE trust the old CAs as well?

Re: EAP_TLS issue.

Dustin Anderson — Tue, 28 Mar 2017 19:51:02 GMT

I did add the old CA's into ISE, so should be OK there.

Re: EAP_TLS issue.

hslai — Thu, 20 Apr 2017 16:14:57 GMT

12521

EAP-TLS failed SSL/TLS handshake after a client alert

would be probably better sorted by looking at the client side.

Previously, macOS 10.6 ~ 10.8 may use the following. It might also work for later macOS releases.

To turn on verbose logging:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 255

==> Setting to 255 seems to be most verbose; to 1 already logs some info.

Log file: /var/log/eapolclient.enN.log

Also watch /var/log/system.log and /var/log/wifi.log

To turn off verbose logging:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 0

AFP548 – Covering Apple IT – 802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates shows an example error logging:

... eapolclient was logging the following error:

eaptls_handshake: SSLHandshake failed, errSSLPeerAccessDenied

...

Re: EAP_TLS issue.

shockocisco — Tue, 11 Jan 2022 16:15:16 GMT

I had the same issue and this resolved. Thanks for this guys!

Re: EAP_TLS issue.

ajc — Mon, 20 Mar 2023 17:50:07 GMT

Looks like the article is not available anymore.