Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2475
Views
0
Helpful
4
Replies

[Cisco ACS 5.2] Windows XP - EAP-TLS error

Patrick Tran
Level 1
Level 1

‎07-11-2012 06:12 AM - edited ‎03-10-2019 07:17 PM

Hi,

We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.

We just replaced RADIATOR with Cisco ACS 5.2 .

Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client

Description:

While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.

Resolution Steps :

Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!

Most of the computers (hundreds of Windows XP and Windows 7) got no problem.

ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".

If it was a known issue, we would have this error for other computer but we don't have (fortunately )

Wireless profile is sent to computers using GPO so they trust ACS server certificate...

Do you know how to correct this issue on XP supplicant? I dont find this issue on Google

Thanks for your help,

Patrick

Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎07-11-2012 07:17 AM

Do you have any patches installed on your ACS.

Thanks

Tarik Admani

0 Helpful

Patrick Tran
Level 1
Level 1
In response to Tarik Admani

‎07-11-2012 07:20 AM

Hi Tarik,

Patch 10 is installed on ACS 5.2.

Thanks for your help,

Patrick

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Patrick Tran

‎07-11-2012 07:30 AM

Patrick,

One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.

If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.

Thanks,

Tarik Admani

0 Helpful

Patrick Tran
Level 1
Level 1
In response to Tarik Admani

‎07-11-2012 07:35 AM

Hi Tarik,

Thanks for your answer.

I cant physically have one of the laptops

I will try to contact one of the owners but I think they can't uncheck "validate server certificate" because WiFi profile is sent by GPO.

If I succeed to change this option, I will contact you again.

Thanks again,

Patrick

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents