03-27-2017 11:47 AM
I am having an issue with getting a Mac to authenticate into ISE.
I see it connecting, but with the following error.
12521 EAP-TLS failed SSL/TLS handshake after a client alert
Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.
I have the root and subca's installed on the mac, and ISE.
OpenSSLErrorMessage | SSL alert: code=0x100=256 ; source=remote ; type=warning ; message="close notify" |
I'm not very familiar with a Mac, does anyone know where/how to see errors on them as it seems to be closing the connection.
Solved! Go to Solution.
03-28-2017 08:15 AM
the trust can be set with the configuration profile which deploys the eap settings to the client.
If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.
If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.
described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21
03-27-2017 11:45 PM
The diagnostic of a Mac is described in this article. https://support.apple.com/en-gb/HT202663
But if you would have a trust issue, the mac will normally prompt you with a decision if you want to trust the EAP Certificate. Did the mac maybe has a wrong setting for the Authentication of the SSID?
03-28-2017 07:47 AM
This is actually a wired Mac.
We use 802.1x with PC's and this all works fine. For a Mac, they made a user cert to use on them and it uses EAP-TLS. The PC's use EAP-PEAP.
it seems like the client is not responding to the RADIUS access challenge.
12500 | Prepared EAP-Request proposing EAP-TLS with challenge |
12625 | Valid EAP-Key-Name attribute received |
11006 | Returned RADIUS Access-Challenge |
11001 | Received RADIUS Access-Request |
11018 | RADIUS is re-using an existing session |
12502 | Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated |
12800 | Extracted first TLS record; TLS handshake started |
12805 | Extracted TLS ClientHello message |
12806 | Prepared TLS ServerHello message |
12807 | Prepared TLS Certificate message |
12808 | Prepared TLS ServerKeyExchange message |
12809 | Prepared TLS CertificateRequest message |
12505 | Prepared EAP-Request with another EAP-TLS challenge |
11006 | Returned RADIUS Access-Challenge |
11001 | Received RADIUS Access-Request |
11018 | RADIUS is re-using an existing session |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response |
12505 | Prepared EAP-Request with another EAP-TLS challenge |
11006 | Returned RADIUS Access-Challenge |
11001 | Received RADIUS Access-Request |
11018 | RADIUS is re-using an existing session |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response |
12505 | Prepared EAP-Request with another EAP-TLS challenge |
11006 | Returned RADIUS Access-Challenge |
11001 | Received RADIUS Access-Request |
11018 | RADIUS is re-using an existing session |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response |
12505 | Prepared EAP-Request with another EAP-TLS challenge |
11006 | Returned RADIUS Access-Challenge |
11001 | Received RADIUS Access-Request |
11018 | RADIUS is re-using an existing session |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response |
12505 | Prepared EAP-Request with another EAP-TLS challenge |
11006 | Returned RADIUS Access-Challenge |
11001 | Received RADIUS Access-Request |
11018 | RADIUS is re-using an existing session |
12504 | Extracted EAP-Response containing EAP-TLS challenge-response |
12815 | Extracted TLS Alert message |
12521 | EAP-TLS failed SSL/TLS handshake after a client alert |
12507 | EAP-TLS authentication failed |
11504 | Prepared EAP-Failure |
11003 | Returned RADIUS Access-Reject |
5434 | Endpoint conducted several failed authentications of the same scenario |
03-28-2017 07:55 AM
was this setting deployed with a MDM or any other tool to the mac?
03-28-2017 08:07 AM
I think they use JAMF to push settings. One thing I'm looking at is the keychain. The cert uses our old CA's, and ISE uses the new CA's. I've added the new CA's to the Mac, but noticed it says they are trusted for the user, not for all users. I'm wondering if it's not trusting ISE and ignoring the conversation. Issue is i'm not sure how to get the cert trusted for all users.
03-28-2017 08:15 AM
the trust can be set with the configuration profile which deploys the eap settings to the client.
If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.
If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.
described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21
03-28-2017 10:11 AM
Thanks, I'll look into that.
01-11-2022 08:15 AM
I had the same issue and this resolved. Thanks for this guys!
03-20-2023 10:50 AM
Looks like the article is not available anymore.
03-28-2017 10:36 AM
Does ISE trust the old CAs as well?
03-28-2017 12:51 PM
I did add the old CA's into ISE, so should be OK there.
04-20-2017 09:14 AM
12521 | EAP-TLS failed SSL/TLS handshake after a client alert |
would be probably better sorted by looking at the client side.
Previously, macOS 10.6 ~ 10.8 may use the following. It might also work for later macOS releases.
To turn on verbose logging:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 255
==> Setting to 255 seems to be most verbose; to 1 already logs some info.
Log file: /var/log/eapolclient.enN.log
Also watch /var/log/system.log and /var/log/wifi.log
To turn off verbose logging:
sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 0
AFP548 – Covering Apple IT – 802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates shows an example error logging:
... eapolclient was logging the following error:
eaptls_handshake: SSLHandshake failed, errSSLPeerAccessDenied
...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: