cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6240
Views
0
Helpful
9
Replies
Highlighted
Contributor

EAP_TLS issue.

I am having an issue with getting a Mac to authenticate into ISE.

I see it connecting, but with the following error.

12521 EAP-TLS failed SSL/TLS handshake after a client alert

Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

I have the root and subca's installed on the mac, and ISE.

OpenSSLErrorMessageSSL alert: code=0x100=256 ; source=remote ; type=warning ; message="close notify"

I'm not very familiar with a Mac, does anyone know where/how to see errors on them as it seems to be closing the connection.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: EAP_TLS issue.

the trust can be set with the configuration profile which deploys the eap settings to the client.

If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.

If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.

described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21

View solution in original post

9 REPLIES 9
Enthusiast

Re: EAP_TLS issue.

The diagnostic of a Mac is described in this article. https://support.apple.com/en-gb/HT202663

But if you would have a trust issue, the mac will normally prompt you with a decision if you want to trust the EAP Certificate. Did the mac maybe has a wrong setting for the Authentication of the SSID?

Contributor

Re: EAP_TLS issue.

This is actually a wired Mac.

We use 802.1x with PC's and this all works fine. For a Mac, they made a user cert to use on them and it uses EAP-TLS. The PC's use EAP-PEAP.

it seems like the client is not responding to the RADIUS access challenge.

12500Prepared EAP-Request proposing EAP-TLS with challenge
12625Valid EAP-Key-Name attribute received
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12502Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800Extracted first TLS record; TLS handshake started
12805Extracted TLS ClientHello message
12806Prepared TLS ServerHello message
12807Prepared TLS Certificate message
12808Prepared TLS ServerKeyExchange message
12809Prepared TLS CertificateRequest message
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12815Extracted TLS Alert message
12521EAP-TLS failed SSL/TLS handshake after a client alert
12507EAP-TLS authentication failed
11504Prepared EAP-Failure
11003Returned RADIUS Access-Reject
5434Endpoint conducted several failed authentications of the same scenario
Enthusiast

Re: EAP_TLS issue.

was this setting deployed with a MDM or any other tool to the mac?

Contributor

Re: EAP_TLS issue.

I think they use JAMF to push settings. One thing I'm looking at is the keychain. The cert uses our old CA's, and ISE uses the new CA's. I've added the new CA's to the Mac, but noticed it says they are trusted for the user, not for all users. I'm wondering if it's not trusting ISE and ignoring the conversation. Issue is i'm not sure how to get the cert trusted for all users.

Enthusiast

Re: EAP_TLS issue.

the trust can be set with the configuration profile which deploys the eap settings to the client.

If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.

If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.

described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21

View solution in original post

Contributor

Re: EAP_TLS issue.

Thanks, I'll look into that.

Contributor

Re: EAP_TLS issue.

Does ISE trust the old CAs as well?

Contributor

Re: EAP_TLS issue.

I did add the old CA's into ISE, so should be OK there.

Cisco Employee

Re: EAP_TLS issue.

12521EAP-TLS failed SSL/TLS handshake after a client alert

would be probably better sorted by looking at the client side.

Previously, macOS 10.6 ~ 10.8 may use the following. It might also work for later macOS releases.

To turn on verbose logging:

​sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 255

==> Setting to 255 seems to be most verbose; to 1 already logs some info.

Log file: /var/log/eapolclient.enN.log

Also watch /var/log/system.log and /var/log/wifi.log

To turn off verbose logging:

​sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 0

AFP548 – Covering Apple IT – 802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates shows an example error logging:

... eapolclient was logging the following error:

eaptls_handshake: SSLHandshake failed, errSSLPeerAccessDenied

...