Cisco ISE authentication failed for Win XP SP3

1914aug87 · ‎01-15-2014

Hello,

I have some trouble this Win XP wired Client authentication. With Win7 everything works well.

ISE 1.2 (patch 4)

Switch: 2960 / 2960S (15.0.(2)SE2)

Authentication details:

Event:

5400 Authentication failed:

Failure Reason

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

Resolution

Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!

Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.

I try to disable validate server certificates on Win XP Clients, but it won´t work for me.

Add ISE self-sign certificate to clients trusted root certification authorities and enable validate server certificates also won´t work.

Any idea?

thanks

bcarroll · ‎01-15-2014

Does the default network access allow PEAP v0? Seems I had to enable that for XP.

Sent from Cisco Technical Support iPad App

1914aug87 · ‎01-16-2014

Thanks, that´s a good point. It wasn´t enabled, but it don´t solve my problem.

Tarik Admani · ‎01-16-2014

Are you using group policies to hand down the network settings? If so are you using gpmc 2012?

Thanks

Sent from Cisco Technical Support Android App

1914aug87 · ‎01-17-2014

we are using win server 2008 for the xp clients and win server 2008 r2 for the win 7 clients for gpo rollout.

Tarik Admani · ‎01-17-2014

I have seen issues where the group policy configuration on windows 2008R2 as well. Let me know if you can confirm the version, here is a thread that will help.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/aff2db25-f8fd-41d0-8c87-1fd7bd849ebb/validate-server-certificate-group-policy-xp-sp3-cant-uncjeck-option?forum=winserverGP

Thanks,

Tarik Admani
*Please rate helpful posts*

Robert Salazar · ‎01-18-2014

If this is a windows xp SP 3, see if the following hotfix is installed:

http://support.microsoft.com/kb/960655

If not installed then install it and restart the xp machine. See if the issue is still present.

1914aug87 · ‎01-20-2014

@Tarik Admani: We saw the issue described in your link. Because of that we set up a win 2008 server for the xp clients.

@Robert Salazar: Thanks, i´ll check if this hotfix is installed.

1914aug87 · ‎01-20-2014

Hotfix is installed, but issue is still present.

Clients and ISE are configured to do both user- and machineauthentication.

Maybe win xp can only run machineauthentication?

Many Thanks

bcarroll · ‎01-22-2014

What certificate is in play here? The XP machine should have a root certificate and be able to trust the ISE certificate. When I saw the "11514 Unexpectedly received empty TLS message; treating as a rejection by the client" message, it was a certificate issue. In XP's Protected EAP Properties I would look to make sure that the root certificate that signed the ISE ID certificate is selected. Have you verified that?

1914aug87 · ‎01-23-2014

The ISE use a self-signed certificate. I add this self-signed certificate to the clients "trusted root certification authorities", enable validate server certificates at the eap properties and select the added certificate from the trust list. But if I uncheck validate server certificates, I see the same error message as well.

Are there any differences between xp client config and win7 client config?

thanks,

bcarroll · ‎01-23-2014

If you use XP there is a process you have to go through to enable machine authentication. Otherwise you're going to use user authentication.

http://support.microsoft.com/kb/929847

I'm not sure what you're running into with the certificate, but maybe try to setup a windows CA and enroll ISE with it. It's not that difficult to lab that up.

dal · ‎01-23-2014

Hi.

Under Administration -> Certificates -> Local Sertificates, find your self signed certificate, and click edit.

Under protocols, is EAP: Use certificate for EAP protocols that use SSL/TLS tunneling checked?

- Øystein

1914aug87 · ‎01-23-2014

Yes it's checked.

Sent from Cisco Technical Support iPhone App

dal · ‎01-23-2014

I have never tried certificate authentication with a self signed certificate before.

But in my mind, this is what you need:

- a CA certificate

- a client certificate issued to ISE, typically a web server certificate

- at least a machine certificate for the client.

The certificates for both ISE and the client must be issued from the same CA.

The CA certificate also needs to be installed on both ISE and the client.