cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6596
Views
0
Helpful
16
Replies

Cisco ISE authentication failed for Win XP SP3

1914aug87
Level 1
Level 1

Hello,

I have some trouble this Win XP wired Client authentication. With Win7 everything works well.

ISE 1.2 (patch 4)

Switch: 2960 / 2960S (15.0.(2)SE2)

Authentication details:

Event:

5400 Authentication failed:

Failure Reason

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

Resolution

Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

I try to disable validate server certificates on Win XP Clients, but it won´t work for me.

Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.

Any idea?

thanks

16 Replies 16

Maybe that wasn´t clear at all. Client wired authentication is done with peap. So I dont need a client maschine certificate. The Client only needs a ISE certificate (the self-signed in my case) because validate server certificates is checked.

blenka
Level 3
Level 3

Are you able to get your hands on a different machine to test? I think the russian settings is what is causing the confusion with me in order to understand the supplicant settings. I do not have my hands on an XP client but see if you can use both machine or user authentication and see if that changes your luck?