Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3532
Views
0
Helpful
2
Replies

EAP-TLS failed SSL/TLS handshake after a client alert

JAMES WEST
Level 1
Level 1

‎06-18-2022 12:30 AM

Hi Everyone, 

 

I hope everyone is keeping well.

 

We are in the process of deploying EAP-TLS in a pilot phase with a mix of Mac OS and Win10 machines in our estate. Currently Win10 machines are working and being authenticated to the Corporate WLAN, but Mac OS machines (not domain joined) try to connect, we are getting 50/50 split of passed/failed authentications, no changes are being made to either ISE or the Mac (managed by JAMF).

 

Passed Auth - Event 5200 Authentication succeeded

Failed Auth - Event 5400 Authentication failed ( Failure Reason 12521 EAP-TLS failed SSL/TLS handshake after a client alert )

 

It looks like the Mac is not accepting the EAP-TLS handshake with ISE and failing with the following result in ISE logs:
12815 Extracted TLS Alert message
12521 EAP-TLS failed SSL/TLS handshake after a client alert
12507 EAP-TLS authentication failed

 

Can you see in ISE what certificate is being sent as part of the EAP-TLS request, or if anyone has managed to get Mac OS machine working using EAP-TLS? I have seen a couple of forum posts mentioning about creating a 2nd SSID for Mac's, but not sure if this then is keep going forward with you then managing 2x SSID's for Win & Mac OS machines.

 

Thanks for your assistance.

 

Regards,

James

3 people had this problem
Preview file
3 KB
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎06-18-2022 01:25 AM

 

 - Check this thread : https://community.cisco.com/t5/network-access-control/eap-tls-issue/td-p/3545371

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

ivan.martin
Level 1
Level 1

‎06-18-2022 07:23 PM

Hi James

In ISE after the process of sucess AuthorZ you can see the serial number of certificate's template  (when endpoint use TLS together with ISE). In mi experience, Mac work better with PEAP. You can add PEAP+Mac Address Internal (On ISE) to consolidate the access.

Regards, Ivan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents