Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26965
Views
5
Helpful
11
Replies

EAP_TLS issue.

Go to solution
Dustin Anderson
VIP
VIP

‎03-27-2017 11:47 AM

I am having an issue with getting a Mac to authenticate into ISE.

I see it connecting, but with the following error.

12521 EAP-TLS failed SSL/TLS handshake after a client alert

Check whether the proper server certificate is installed and configured for EAP in the Local Certificates page ( Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for more information.

I have the root and subca's installed on the mac, and ISE.

OpenSSLErrorMessageSSL alert: code=0x100=256 ; source=remote ; type=warning ; message="close notify"

I'm not very familiar with a Mac, does anyone know where/how to see errors on them as it seems to be closing the connection.

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Oliver Laue
Level 4
Level 4
In response to Dustin Anderson

‎03-28-2017 08:15 AM

the trust can be set with the configuration profile which deploys the eap settings to the client.

If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.

If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.

described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21

View solution in original post

11 Replies 11

Go to solution
Oliver Laue
Level 4
Level 4

‎03-27-2017 11:45 PM

The diagnostic of a Mac is described in this article. https://support.apple.com/en-gb/HT202663

But if you would have a trust issue, the mac will normally prompt you with a decision if you want to trust the EAP Certificate. Did the mac maybe has a wrong setting for the Authentication of the SSID?

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Oliver Laue

‎03-28-2017 07:47 AM

This is actually a wired Mac.

We use 802.1x with PC's and this all works fine. For a Mac, they made a user cert to use on them and it uses EAP-TLS. The PC's use EAP-PEAP.

it seems like the client is not responding to the RADIUS access challenge.

12500Prepared EAP-Request proposing EAP-TLS with challenge
12625Valid EAP-Key-Name attribute received
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12502Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800Extracted first TLS record; TLS handshake started
12805Extracted TLS ClientHello message
12806Prepared TLS ServerHello message
12807Prepared TLS Certificate message
12808Prepared TLS ServerKeyExchange message
12809Prepared TLS CertificateRequest message
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12505Prepared EAP-Request with another EAP-TLS challenge
11006Returned RADIUS Access-Challenge
11001Received RADIUS Access-Request
11018RADIUS is re-using an existing session
12504Extracted EAP-Response containing EAP-TLS challenge-response
12815Extracted TLS Alert message
12521EAP-TLS failed SSL/TLS handshake after a client alert
12507EAP-TLS authentication failed
11504Prepared EAP-Failure
11003Returned RADIUS Access-Reject
5434Endpoint conducted several failed authentications of the same scenario
0 Helpful

Go to solution
Oliver Laue
Level 4
Level 4
In response to Dustin Anderson

‎03-28-2017 07:55 AM

was this setting deployed with a MDM or any other tool to the mac?

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to Oliver Laue

‎03-28-2017 08:07 AM

I think they use JAMF to push settings. One thing I'm looking at is the keychain. The cert uses our old CA's, and ISE uses the new CA's. I've added the new CA's to the Mac, but noticed it says they are trusted for the user, not for all users. I'm wondering if it's not trusting ISE and ignoring the conversation. Issue is i'm not sure how to get the cert trusted for all users.

0 Helpful

Go to solution
Oliver Laue
Level 4
Level 4
In response to Dustin Anderson

‎03-28-2017 08:15 AM

the trust can be set with the configuration profile which deploys the eap settings to the client.

If you're using a public cert on the ise you can just publish the subject name of the EAP Certificate from ise.

If you're using a private cert there are options in a MDM/EMM for macOS to import trusted certificates and set them as trusted for the EAP Authentications.

described in http://training.apple.com/pdf/WP_8021X_Authentication.pdf page 21

Go to solution
Dustin Anderson
VIP
VIP
In response to Oliver Laue

‎03-28-2017 10:11 AM

Thanks, I'll look into that.

0 Helpful

Go to solution
shockocisco
Level 1
Level 1
In response to Oliver Laue

‎01-11-2022 08:15 AM

I had the same issue and this resolved. Thanks for this guys!

0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to Oliver Laue

‎03-20-2023 10:50 AM

Looks like the article is not available anymore.

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to Dustin Anderson

‎03-28-2017 10:36 AM

Does ISE trust the old CAs as well?

0 Helpful

Go to solution
Dustin Anderson
VIP
VIP
In response to gbekmezi-DD

‎03-28-2017 12:51 PM

I did add the old CA's into ISE, so should be OK there.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-20-2017 09:14 AM

12521EAP-TLS failed SSL/TLS handshake after a client alert

would be probably better sorted by looking at the client side.

Previously, macOS 10.6 ~ 10.8 may use the following. It might also work for later macOS releases.

To turn on verbose logging:

​sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 255


==> Setting to 255 seems to be most verbose; to 1 already logs some info.


Log file: /var/log/eapolclient.enN.log

Also watch /var/log/system.log and /var/log/wifi.log

To turn off verbose logging:

​sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.eapolclient LogFlags -int 0

AFP548 – Covering Apple IT – 802.1x EAP-TLS Machine Authentication in Mt. Lion with AD Certificates shows an example error logging:

... eapolclient was logging the following error:

eaptls_handshake: SSLHandshake failed, errSSLPeerAccessDenied

...


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents