Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1369
Views
5
Helpful
4
Replies

ACS EAP-TLS

Reyad Safi
Level 1
Level 1

‎04-20-2014 05:09 PM - edited ‎03-10-2019 09:39 PM

Hello Experts...

i have a problem when using ACS 5.1 with AP1141 through EAP-TLS authentication method.

when i try to connect my laptop , it's authenticated sucessfully , but when i try to authenticate third party Black Box using EAP-TLS , i have an authentication failure ( 12511 Unexpectedly received TLS alert message; treating as a rejection by the client ).

when i check the debug report at the ACS , i found that the authentication method when i use my laptop is x509_PKI  , and it's successfully , but when i use the 3rd party devise , the authentication method in the radius log report is EAP-TLS , and it's failed.

 

so is there any different between the x509_PKI  and EAP-TLS , if yes , how could i check EAP-TLS.

 

reyad

 

Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎04-20-2014 08:33 PM

fyi, EAP TLS involves exchange of certificate between client and server, where the certificate issued to client is in x.509 format , issued by CA ( part of PKI ). The below could be reason of above mentioned error

The supplicant or client machine is not accepting the certificate from Cisco ISE.The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

Reyad Safi
Level 1
Level 1
In response to Saurav Lodh

‎04-21-2014 04:12 PM

thank you Saldoh

i install wireshark to get the authentications logs , and i compare this log with working ACS....

the only difference is EAP-TLS Flag: 0x00 ,

0... ... = length include false , while its true at the working one.

any recommendation

 

Reyad

 

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎04-21-2014 08:29 PM

As you have stated that you authentication with 3rd party device is failing it may be due to certificate issue.EAP-TLS use certificates for both user and server authentication

check EAP-TLS Deployment Guide for Wireless LAN Networks

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39021

0 Helpful

Reyad Safi
Level 1
Level 1
In response to Venkatesh Attuluri

‎04-30-2014 03:44 AM

hello,,,

i do confirm that , the 3rd Party already trust the AAA CA , and the AAA trust the 3rd Party CA.

when i use Cisco 4.1 Radius , the client is connected without any problem.

to clarify the status , this client accept only eap-tls authentication method ,so the only changes which i did on the 4.1 radius , is go to system configuration , global authentication setup , and enable the eap-tls only...and change the AP EAP request timeout to 0

and this what i did also in ACS5.1

any suggestions

 

reyad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents