Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3337
Views
10
Helpful
6
Replies

EAP-TLS not working with WLC and ISE

Go to solution
s1nsp4wn
Level 1
Level 1

‎07-18-2019 01:45 PM

ISE 2.4

WLC 5508 running 8.5 software

iPhone

 

I followed the instructions for setting up eap-tls here (ISE and my phone have proper certs and trust mutual ca):

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/213543-configure-eap-tls-flow-with-ise.html#anc13

 

Yet when I try connecting to my eap-tls ssid, ISE tells me Failure Reason 15024 PAP is not allowed.  I've checked my auth policy in conjunction with what's in the link and they match.  I even used an all new auth policy that allows everything just to check and I still get this error.  What else can I look at?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎07-18-2019 04:49 PM

If ISE is telling you that your RADIUS authentication is using PAP, then it means that the WLC is not configured correctly.  If an SSID is correctly configured for any EAP method, then the RADIUS authentication request to ISE will never use PAP.  

 

Have another look at your WLC config.

 

As for ISE, check that your Allowed Protocols in the Policy Set contains EAP-TLS as an allowed protocol.

 

Send screenshots here if you are still stuck

View solution in original post

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to s1nsp4wn

‎07-18-2019 09:07 PM - edited ‎07-18-2019 09:10 PM

Your Layer 2 Security is wrong.   

 

You are doing MAC Authentication which is exactly what ISE is also reporting.  It takes the MAC address from the client packet and turns it into a PAP authentication towards the RADIUS server.  This is the mode you might see with iPSK or Centralised Guest Auth.

 

For EAP-TLS/EAP-PEAP you need  Layer 2 authentication as shown below.

802.1X will eventually encrypt the data using WPA2 - this is called WPA2-Enterprise mode

 

Have a look below - this is the typical WPA2 Enterprise config. 

 

8021x.PNG

View solution in original post

6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎07-18-2019 04:49 PM

If ISE is telling you that your RADIUS authentication is using PAP, then it means that the WLC is not configured correctly.  If an SSID is correctly configured for any EAP method, then the RADIUS authentication request to ISE will never use PAP.  

 

Have another look at your WLC config.

 

As for ISE, check that your Allowed Protocols in the Policy Set contains EAP-TLS as an allowed protocol.

 

Send screenshots here if you are still stuck

0 Helpful

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Arne Bier

‎07-18-2019 06:06 PM

PAP is allowed in my ISE authorization protocols tied to the policy in question.  Even using the default that already allows pap doesn't work.

So given that i'm following the wlc configs in the link I sent, what do I need to do to force PAP use?  If you take a look in the guide mentioned you'll notice PAP isn't mentioned anywhere.  Here's what I have...
 
SECURITY
Layer 2 - None
MAC Filtering - Enabled
Fast Transition - Adaptive
Over the DS - Checked
 
LAYER 3
Layer 3 Security - None
Captive Network Assitant Bypass - None
 
AAA SERVERS
My ISE server is Authentication and Accounting
Radius Server Accounting - Interim Update selected
 
ADVANCED
Allow aaa override
Preview file
323 KB
Preview file
83 KB
Preview file
71 KB
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to s1nsp4wn

‎07-18-2019 09:07 PM - edited ‎07-18-2019 09:10 PM

Your Layer 2 Security is wrong.   

 

You are doing MAC Authentication which is exactly what ISE is also reporting.  It takes the MAC address from the client packet and turns it into a PAP authentication towards the RADIUS server.  This is the mode you might see with iPSK or Centralised Guest Auth.

 

For EAP-TLS/EAP-PEAP you need  Layer 2 authentication as shown below.

802.1X will eventually encrypt the data using WPA2 - this is called WPA2-Enterprise mode

 

Have a look below - this is the typical WPA2 Enterprise config. 

 

8021x.PNG

Go to solution
s1nsp4wn
Level 1
Level 1
In response to Arne Bier

‎07-19-2019 06:39 AM

Thank you for that.  Now my authentication fails for 5400 - 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain.  So this means I'll have to work with my team on getting the proper client cert to appear.  I already have it installed but it doesn't show up as a selectable option on iPhone.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to s1nsp4wn

‎07-19-2019 04:02 PM

Good stuff. The TLS error you described sounds like ISE doesn’t have the CA cert chain installed in the Trusted Certificates. That you can import easily. Just make sure it’s the Root CA and all other intermediate certs that we’re involved in creating those EAP-TLS client certs. 

On most clients you can disable the server cert check. It’s not at all advisable but ok for testing purposes. In prod make sure server cert check is enabled. And that means your clients need the CA cert chain that was used to sign the ISE EAP cert. 

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to s1nsp4wn

‎07-19-2019 09:55 PM

I don’t think there is anyway to have the Apple iPhone choose the certificate. I thought it was assigned to the supplicant profile for that SSID. This also has to do with the Apple configuration tool or a mobile device management profile.
0 Helpful
Customers Also Viewed These Support Documents