Re: Cisco 8821 with 11.0(5)SR3 WLAN Issue - Page 2

florian.hanig1 · ‎04-16-2020

Hello,

I've upgraded a Cisco 8821 to the new Firmware "11.0(5)SR3".

Sience this FW-Version, the phone does not connect to WLAN.

WLAN Security ist EAP-FAST with Local EAP Users on Cisco 2504.

With older Firmware on Cisco 8821 WLAN Phone, there were no issues, like this.

I use Cisco 3802 Access Points with Cisco 2504 WLC on Software Version 8.5.161.0.

Phone says in "Status messages" Ethernet Disconnected.

On WLC I see that the device is connecting but with no ip (0.0.0.0).

What can I do ?

Leo Laohoo · ‎04-21-2020

Good find.
IF this is a version mismatch then I think a TAC Case is necessary.

florian.hanig1 · ‎04-21-2020

I cannot do this without service contract, I think ... :(

Leo Laohoo · ‎04-21-2020

@florian.hanig1 wrote:

I cannot do this without service contract

Do you have Service Contract for your CUCM or WLC?

florian.hanig1 · ‎04-23-2020

Yes, but not on our company.

A big german communication partner supervised this, so I have no possibility to open a ticket.

I've now tested with Freeradius and strict TLS 1.2 policy.

Error Log of Freeradius shows:

(8) eap_fast: ERROR: TLS Alert write:fatal:internal error
tls: TLS_accept: Error in error
(8) eap_fast: ERROR: Failed in __FUNCTION__ (SSL_read): error:141FC044:SSL routines:tls_setup_handshake:internal error
(8) eap_fast: ERROR: System call (I/O) error (-1)
(8) eap_fast: ERROR: TLS receive handshake failed during operation
(8) eap_fast: ERROR: [eaptls process] = fail
(8) eap: ERROR: Failed continuing EAP FAST (43) session.  EAP sub-module failed

So can anyone verifiy, that EAP-FAST works at all version in 11.0(5) ???

Leo Laohoo · ‎04-23-2020

Scroll up and send a PM to @migilles and see if he can provide some assistance.

migilles · ‎04-23-2020

Hi.

Yes, seems the issue is due to TLS 1.2 for WLAN authentication, which was introduced in 11.0(5) release for 8821 phones.

I found that TLS 1.2 for EAP-FAST was included in WLC version 8.10.112.0, but that version is not available for the WLC2500.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn810mr1.html#support_tls-12-eap_fast

There was a bug in Cisco ISE 2.x as well regarding TLS 1.2 support specific to EAP-FAST.

And the workaround there was to use PEAP, but not sure if this will be the same for your issue.

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cuipph/8821/firmware/11-0-5sr1/w881_b_wireless-8821-rns-110005sr1.html#reference_8C08B2F7B8A2BD4C8A5C7A998B7DE192

CSCvm03681 - EAP-FAST doesn't support correct key generation in TLS 1.2

Can you please generate a PRT log from the 8821 phone after the issue has been reproduced with 11.0(5)SR3 and upload the file here. If you can also provide the corresponding wlan sniffer trace and wlc debug client, that would be most appreciated.

Also let us know if configuring the 8821 phone to PEAP instead of EAP-FAST works or not; assuming the local eap profile has PEAP enabled.

Thanks!

migilles · ‎04-23-2020

FYI, I was able to downgrade a WLC3500 to 8.5.161.0 with an AP3800 connected and I was then able to reproduce the reported local EAP-FAST interop issue using a 8821 phone running 11.0.5SR2.2 fw.

Note, that both PEAP-MSCHAPV2 and PEAP-GTC worked fine with the same local eap config (as long as PEAP is enabled in the local eap profile).

I have collected the wlan sniffer trace and 8821 PRT logs and have passed them along to our Cisco 8821 DE team.

For now, please configure the phones to utilize PEAP instead of EAP-FAST as the workaround.

Can change the Security Mode for the Wi-Fi profile either via the local keypad, the admin webpage, CUCM WLAN Profile feature or the Bulk Deployment Utility.

See the 8821 DG for more info @ https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cuipph/8821/english/Deployment/8821_wlandg.pdf.

florian.hanig1 · ‎04-23-2020

Thank you.

So if theres a bug ID I can track, that would be wonderful :-)

Yes PEAP works.

Would it be possible in the future to add TLS 1.2 support für 2504 controller in further FW-Releases.. .?

Leo Laohoo · ‎04-24-2020

@florian.hanig1 wrote:

Would it be possible in the future to add TLS 1.2 support für 2504 controller in further FW-Releases.. .?

8.5.164.0 is the last-and-final release for the 2504/5508/WiSM2.

migilles · ‎04-24-2020

Ok glad to hear that PEAP works as expected on your side as well.

Our DE team looked at the traces I collected and see that the 8821 phone is sending a TLS 1.2 ClientHello, but instead of the WLC/AP coming back to negotiate down to TLS 1.0, it sends an immediate failure terminating the 802.1x handshake.

Below is from the TLS 1.2 RFC.

https://tools.ietf.org/html/rfc5246#appendix-E

I doubt that TLS 1.2 support for EAP-FAST will be added for the WLC2500, but I can ask the WNBU team. Pretty sure, you will have to upgrade to a newer WLC. But even for WLC3500, the 8.10 train is the last for it and will ask customers to start to migrate to the WLC9800; which they do offer a small version as well for, which is the C9800-L-C-K9.

Leo Laohoo · ‎04-24-2020

@migilles wrote:

I can ask the WNBU team.

The WNBU can spin up, at least, an engineering release.