Hi I am testing Windows 10 native supplicant for EAP-FAST. I have two policies, one for computer auth and another for user. I am presently testing the computer auth however it keeps failing.
I am not using certificates for this.
Overview
| Event | 5400 Authentication failed |
| Username | host/testpc.testdomain.local |
| Endpoint Id | 10:7D:1A:43:C9:44 |
| Endpoint Profile | |
| Authentication Policy | Wired Policy-LMC >> Dot1x |
| Authorization Result |
Authentication Details| Source Timestamp | 2019-07-18 14:59:09.076 | | Received Timestamp | 2019-07-18 14:59:09.088 | | Policy Server | ISENODE1 | | Event | 5400 Authentication failed | | Failure Reason | 12154 EAP-FAST failed SSL/TLS handshake after a client alert | | Resolution | Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information. Check on the client side for any time syncp issues or client certificate validity period. | | Root cause | EAP-FAST failed SSL/TLS handshake after a client alert | | Username | host/testpc.testdomain.local | | Endpoint Id | 10:7D:1A:43:C9:44 | | Calling Station Id | 10-7D-1A-43-C9-44 | | IPv4 Address | 192.168.153.167 | | Audit Session Id | C0A8910200000A955CA8C9A8 | | Authentication Method | dot1x | | Authentication Protocol | EAP-FAST | | Service Type | Framed | | Network Device | LAN-SW01 | | Device Type | All Device Types#SWITCHES | | Location | All Locations | | NAS IPv4 Address | 192.168.153.1 | | NAS Port Id | GigabitEthernet7/0/36 | | NAS Port Type | Ethernet | | Response Time | 2 milliseconds |
|
Other Attributes| ConfigVersionId | 11077 | | Device Port | 1645 | | DestinationPort | 1812 | | RadiusPacketType | AccessRequest | | Protocol | Radius | | NAS-Port | 50736 | | Framed-MTU | 1500 | | State | 37CPMSessionID=C0A8910200000A955CA8C9A8;40SessionID=ISENODE1/347240123/775912; | | NetworkDeviceProfileName | Cisco | | NetworkDeviceProfileId | b0699505-3150-4215-a80e-6753d45bf56c | | IsThirdPartyDeviceFlow | false | | RadiusFlowType | Wired802_1x | | SSID | 00-3C-10-13-67-A4 | | AcsSessionID | ISENODE1/347240123/775912 | | OpenSSLErrorMessage | SSL alert: code=0x214=532 ; source=remote ; type=fatal ; message="bad record mac" | | OpenSSLErrorStack | 140198517315328:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac:s3_pkt.c:1487:SSL alert number 20 | | CPMSessionID | C0A8910200000A955CA8C9A8 | | EndPointMACAddress | 10-7D-1A-43-C9-44 | | EapChainingResult | No chaining | | ISEPolicySetName | Wired Policy-LMC | | AllowedProtocolMatchedRule | Dot1x | | DTLSSupport | Unknown | | Network Device Profile | Cisco | | Location | Location#All Locations | | Device Type | Device Type#All Device Types#SWITCHES | | IPSEC | IPSEC#Is IPSEC Device#No | | RADIUS Username | host/host/testpc.testdomain.local | | Device IP Address | 192.168.153.1 | | Called-Station-ID | 00:3C:10:13:67:A4 | | CiscoAVPair | service-type=Framed, audit-session-id=C0A8910200000A955CA8C9A8, method=dot1x |
|
Result| RadiusPacketType | AccessReject |
Steps| | 11001 | Received RADIUS Access-Request | | | 11017 | RADIUS created a new session | | | 15049 | Evaluating Policy Group | | | 15008 | Evaluating Service Selection Policy | | | 15048 | Queried PIP - DEVICE.Device Type | | | 15004 | Matched rule - Dot1x | | | 11507 | Extracted EAP-Response/Identity | | | 12500 | Prepared EAP-Request proposing EAP-TLS with challenge | | | 12625 | Valid EAP-Key-Name attribute received | | | 11006 | Returned RADIUS Access-Challenge | | | 11001 | Received RADIUS Access-Request | | | 11018 | RADIUS is re-using an existing session | | | 12101 | Extracted EAP-Response/NAK requesting to use EAP-FAST instead | | | 12100 | Prepared EAP-Request proposing EAP-FAST with challenge | | | 12625 | Valid EAP-Key-Name attribute received | | | 11006 | Returned RADIUS Access-Challenge | | | 11001 | Received RADIUS Access-Request | | | 11018 | RADIUS is re-using an existing session | | | 12102 | Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated | | | 12800 | Extracted first TLS record; TLS handshake started | | | 12175 | Received Tunnel PAC | | | 12805 | Extracted TLS ClientHello message | | | 12806 | Prepared TLS ServerHello message | | | 12801 | Prepared TLS ChangeCipherSpec message | | | 12802 | Prepared TLS Finished message | | | 12105 | Prepared EAP-Request with another EAP-FAST challenge | | | 11006 | Returned RADIUS Access-Challenge | | | 11001 | Received RADIUS Access-Request | | | 11018 | RADIUS is re-using an existing session | | | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response | | | 12815 | Extracted TLS Alert message | | | 12154 | EAP-FAST failed SSL/TLS handshake after a client alert | | | 11504 | Prepared EAP-Failure | | | 11003 | Returned RADIUS Access-Reject |
|
