cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1979
Views
0
Helpful
3
Replies

Chromebook EAP-PEAP, Possible latency

craiglebutt
Level 4
Level 4

Hi

Got 3 geographical sites with 2 PANs for each. ruining 2.2

On one site have someone trying to connect Chromebooks, should be no issue, but keeps failing to connect.  If I take the device to another site, it joins straight away.  If I put the wrong password in, it knows the password is incorrect.

Event5400 Authentication failed
Failure Reason12916 Expected TLS acknowledge for TLS fragment but received another message

This is the failing site

11017

RADIUS created a new session

15049

Evaluating Policy Group

15008

Evaluating Service Selection Policy

15048

Queried PIP - DEVICE.Device Type

15048

Queried PIP - Radius.Called-Station-ID

15048

Queried PIP - Normalised Radius.RadiusFlowType

15004

Matched rule - Dot1X

11507

Extracted EAP-Response/Identity

12500

Prepared EAP-Request proposing EAP-TLS with challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12301

Extracted EAP-Response/NAK requesting to use PEAP instead

12300

Prepared EAP-Request proposing PEAP with challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12302

Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12319

Successfully negotiated PEAP version 1

12800

Extracted first TLS record; TLS handshake started

12805

Extracted TLS ClientHello message

12806

Prepared TLS ServerHello message

12807

Prepared TLS Certificate message

12808

Prepared TLS ServerKeyExchange message

12810

Prepared TLS ServerDone message

12811

Extracted TLS Certificate message containing client certificate

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request ( Step latency=30122 ms)

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12916

Expected TLS acknowledge for TLS fragment but received another message

11500

Invalid or unexpected EAP payload received

11504

Prepared EAP-Failure

11003

Returned RADIUS Access-Reject

cheers

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Are they trusting the PSN certificates? As it seems you have 2 separate deployments? There would be different certs at each site

I would suggest debug issues through TAC.

View solution in original post

3 Replies 3

Jason Kunst
Cisco Employee
Cisco Employee

Are they trusting the PSN certificates? As it seems you have 2 separate deployments? There would be different certs at each site

I would suggest debug issues through TAC.

yes , PSN trusting certificates. here is the working one, all 3 sites are built the same

11017

RADIUS created a new session

15049

Evaluating Policy Group

15008

Evaluating Service Selection Policy

15048

Queried PIP - DEVICE.Device Type

15048

Queried PIP - Radius.Called-Station-ID

15048

Queried PIP - Normalised Radius.RadiusFlowType

15004

Matched rule - Dot1X

11507

Extracted EAP-Response/Identity

12500

Prepared EAP-Request proposing EAP-TLS with challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12301

Extracted EAP-Response/NAK requesting to use PEAP instead

12300

Prepared EAP-Request proposing PEAP with challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12302

Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12319

Successfully negotiated PEAP version 1

12800

Extracted first TLS record; TLS handshake started

12805

Extracted TLS ClientHello message

12806

Prepared TLS ServerHello message

12807

Prepared TLS Certificate message

12808

Prepared TLS ServerKeyExchange message

12810

Prepared TLS ServerDone message

12811

Extracted TLS Certificate message containing client certificate

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12319

Successfully negotiated PEAP version 1

12812

Extracted TLS ClientKeyExchange message

12813

Extracted TLS CertificateVerify message

12804

Extracted TLS Finished message

12801

Prepared TLS ChangeCipherSpec message

12802

Prepared TLS Finished message

12816

TLS handshake succeeded

12310

PEAP full handshake finished successfully

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

12313

PEAP inner method started

11521

Prepared EAP-Request/Identity for inner EAP method

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

11522

Extracted EAP-Response/Identity for inner EAP method

11806

Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge

12305

Prepared EAP-Request with another PEAP challenge

11006

Returned RADIUS Access-Challenge

11001

Received RADIUS Access-Request

11018

RADIUS is re-using an existing session

12304

Extracted EAP-Response containing PEAP challenge-response

The clients also need to trust the PSN cert, please continue with TAC debug