Hi I am testing Windows 10 native supplicant for EAP-FAST. I have two policies, one for computer auth and another for user. I am presently testing the computer auth however it keeps failing.
I am not using certificates for this.
Overview
Event | 5400 Authentication failed |
Username | host/testpc.testdomain.local |
Endpoint Id | 10:7D:1A:43:C9:44 |
Endpoint Profile | |
Authentication Policy | Wired Policy-LMC >> Dot1x |
Authorization Result |
Authentication DetailsSource Timestamp | 2019-07-18 14:59:09.076 | Received Timestamp | 2019-07-18 14:59:09.088 | Policy Server | ISENODE1 | Event | 5400 Authentication failed | Failure Reason | 12154 EAP-FAST failed SSL/TLS handshake after a client alert | Resolution | Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information. Check on the client side for any time syncp issues or client certificate validity period. | Root cause | EAP-FAST failed SSL/TLS handshake after a client alert | Username | host/testpc.testdomain.local | Endpoint Id | 10:7D:1A:43:C9:44 | Calling Station Id | 10-7D-1A-43-C9-44 | IPv4 Address | 192.168.153.167 | Audit Session Id | C0A8910200000A955CA8C9A8 | Authentication Method | dot1x | Authentication Protocol | EAP-FAST | Service Type | Framed | Network Device | LAN-SW01 | Device Type | All Device Types#SWITCHES | Location | All Locations | NAS IPv4 Address | 192.168.153.1 | NAS Port Id | GigabitEthernet7/0/36 | NAS Port Type | Ethernet | Response Time | 2 milliseconds |
|
Other AttributesConfigVersionId | 11077 | Device Port | 1645 | DestinationPort | 1812 | RadiusPacketType | AccessRequest | Protocol | Radius | NAS-Port | 50736 | Framed-MTU | 1500 | State | 37CPMSessionID=C0A8910200000A955CA8C9A8;40SessionID=ISENODE1/347240123/775912; | NetworkDeviceProfileName | Cisco | NetworkDeviceProfileId | b0699505-3150-4215-a80e-6753d45bf56c | IsThirdPartyDeviceFlow | false | RadiusFlowType | Wired802_1x | SSID | 00-3C-10-13-67-A4 | AcsSessionID | ISENODE1/347240123/775912 | OpenSSLErrorMessage | SSL alert: code=0x214=532 ; source=remote ; type=fatal ; message="bad record mac" | OpenSSLErrorStack | 140198517315328:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac:s3_pkt.c:1487:SSL alert number 20 | CPMSessionID | C0A8910200000A955CA8C9A8 | EndPointMACAddress | 10-7D-1A-43-C9-44 | EapChainingResult | No chaining | ISEPolicySetName | Wired Policy-LMC | AllowedProtocolMatchedRule | Dot1x | DTLSSupport | Unknown | Network Device Profile | Cisco | Location | Location#All Locations | Device Type | Device Type#All Device Types#SWITCHES | IPSEC | IPSEC#Is IPSEC Device#No | RADIUS Username | host/host/testpc.testdomain.local | Device IP Address | 192.168.153.1 | Called-Station-ID | 00:3C:10:13:67:A4 | CiscoAVPair | service-type=Framed, audit-session-id=C0A8910200000A955CA8C9A8, method=dot1x |
|
ResultRadiusPacketType | AccessReject |
Steps | 11001 | Received RADIUS Access-Request | | 11017 | RADIUS created a new session | | 15049 | Evaluating Policy Group | | 15008 | Evaluating Service Selection Policy | | 15048 | Queried PIP - DEVICE.Device Type | | 15004 | Matched rule - Dot1x | | 11507 | Extracted EAP-Response/Identity | | 12500 | Prepared EAP-Request proposing EAP-TLS with challenge | | 12625 | Valid EAP-Key-Name attribute received | | 11006 | Returned RADIUS Access-Challenge | | 11001 | Received RADIUS Access-Request | | 11018 | RADIUS is re-using an existing session | | 12101 | Extracted EAP-Response/NAK requesting to use EAP-FAST instead | | 12100 | Prepared EAP-Request proposing EAP-FAST with challenge | | 12625 | Valid EAP-Key-Name attribute received | | 11006 | Returned RADIUS Access-Challenge | | 11001 | Received RADIUS Access-Request | | 11018 | RADIUS is re-using an existing session | | 12102 | Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated | | 12800 | Extracted first TLS record; TLS handshake started | | 12175 | Received Tunnel PAC | | 12805 | Extracted TLS ClientHello message | | 12806 | Prepared TLS ServerHello message | | 12801 | Prepared TLS ChangeCipherSpec message | | 12802 | Prepared TLS Finished message | | 12105 | Prepared EAP-Request with another EAP-FAST challenge | | 11006 | Returned RADIUS Access-Challenge | | 11001 | Received RADIUS Access-Request | | 11018 | RADIUS is re-using an existing session | | 12104 | Extracted EAP-Response containing EAP-FAST challenge-response | | 12815 | Extracted TLS Alert message | | 12154 | EAP-FAST failed SSL/TLS handshake after a client alert | | 11504 | Prepared EAP-Failure | | 11003 | Returned RADIUS Access-Reject |
|