06-08-2017 06:51 AM
Hi
Got 3 geographical sites with 2 PANs for each. ruining 2.2
On one site have someone trying to connect Chromebooks, should be no issue, but keeps failing to connect. If I take the device to another site, it joins straight away. If I put the wrong password in, it knows the password is incorrect.
Event | 5400 Authentication failed |
Failure Reason | 12916 Expected TLS acknowledge for TLS fragment but received another message |
This is the failing site
| 11017 | RADIUS created a new session |
| 15049 | Evaluating Policy Group |
| 15008 | Evaluating Service Selection Policy |
| 15048 | Queried PIP - DEVICE.Device Type |
| 15048 | Queried PIP - Radius.Called-Station-ID |
| 15048 | Queried PIP - Normalised Radius.RadiusFlowType |
| 15004 | Matched rule - Dot1X |
| 11507 | Extracted EAP-Response/Identity |
| 12500 | Prepared EAP-Request proposing EAP-TLS with challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12301 | Extracted EAP-Response/NAK requesting to use PEAP instead |
| 12300 | Prepared EAP-Request proposing PEAP with challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12302 | Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated |
| 12319 | Successfully negotiated PEAP version 1 |
| 12800 | Extracted first TLS record; TLS handshake started |
| 12805 | Extracted TLS ClientHello message |
| 12806 | Prepared TLS ServerHello message |
| 12807 | Prepared TLS Certificate message |
| 12808 | Prepared TLS ServerKeyExchange message |
| 12810 | Prepared TLS ServerDone message |
| 12811 | Extracted TLS Certificate message containing client certificate |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request ( Step latency=30122 ms) |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12916 | Expected TLS acknowledge for TLS fragment but received another message |
| 11500 | Invalid or unexpected EAP payload received |
| 11504 | Prepared EAP-Failure |
| 11003 | Returned RADIUS Access-Reject |
cheers
Solved! Go to Solution.
06-08-2017 06:56 AM
Are they trusting the PSN certificates? As it seems you have 2 separate deployments? There would be different certs at each site
I would suggest debug issues through TAC.
06-08-2017 06:56 AM
Are they trusting the PSN certificates? As it seems you have 2 separate deployments? There would be different certs at each site
I would suggest debug issues through TAC.
06-08-2017 07:20 AM
yes , PSN trusting certificates. here is the working one, all 3 sites are built the same
| 11017 | RADIUS created a new session |
| 15049 | Evaluating Policy Group |
| 15008 | Evaluating Service Selection Policy |
| 15048 | Queried PIP - DEVICE.Device Type |
| 15048 | Queried PIP - Radius.Called-Station-ID |
| 15048 | Queried PIP - Normalised Radius.RadiusFlowType |
| 15004 | Matched rule - Dot1X |
| 11507 | Extracted EAP-Response/Identity |
| 12500 | Prepared EAP-Request proposing EAP-TLS with challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12301 | Extracted EAP-Response/NAK requesting to use PEAP instead |
| 12300 | Prepared EAP-Request proposing PEAP with challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12302 | Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated |
| 12319 | Successfully negotiated PEAP version 1 |
| 12800 | Extracted first TLS record; TLS handshake started |
| 12805 | Extracted TLS ClientHello message |
| 12806 | Prepared TLS ServerHello message |
| 12807 | Prepared TLS Certificate message |
| 12808 | Prepared TLS ServerKeyExchange message |
| 12810 | Prepared TLS ServerDone message |
| 12811 | Extracted TLS Certificate message containing client certificate |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12319 | Successfully negotiated PEAP version 1 |
| 12812 | Extracted TLS ClientKeyExchange message |
| 12813 | Extracted TLS CertificateVerify message |
| 12804 | Extracted TLS Finished message |
| 12801 | Prepared TLS ChangeCipherSpec message |
| 12802 | Prepared TLS Finished message |
| 12816 | TLS handshake succeeded |
| 12310 | PEAP full handshake finished successfully |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 12313 | PEAP inner method started |
| 11521 | Prepared EAP-Request/Identity for inner EAP method |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
| 11522 | Extracted EAP-Response/Identity for inner EAP method |
| 11806 | Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge |
| 12305 | Prepared EAP-Request with another PEAP challenge |
| 11006 | Returned RADIUS Access-Challenge |
| 11001 | Received RADIUS Access-Request |
| 11018 | RADIUS is re-using an existing session |
| 12304 | Extracted EAP-Response containing PEAP challenge-response |
06-08-2017 07:26 AM
The clients also need to trust the PSN cert, please continue with TAC debug
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide