Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7019
Views
0
Helpful
3
Replies

Wireless clients empty TLS message via one WLC

scottwilliamson
Level 2
Level 2

‎07-15-2014 07:46 AM - edited ‎03-10-2019 09:52 PM

Hi all,

We have ACS 5.1, WLC 7.0.98.0 and EAP-TLS. Wireless clients trying to access the network via one of our WLC 5508s are not getting authenticated. I can see the following on ACS:

"11514 Unexpectedly received empty TLS message; treating as a rejection by the client"

which usually means certificate errors / CA problems but clients coming on via other controllers are fine. Any suggestions?

I saw another post which suggested to check the time and discovered that the controller in question was an hour out as the time delta was not set the same as other controllers. However correcting this has not helped.

Many Thanks

Scott

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎07-15-2014 09:06 AM

Could you please check the validity of the server/identity certificate on ACS 5.1

To me it seem that server certificate has been expired. 

What EAP flavor are you using peap-mschap?

 

Regards,

Jatin Katyal

**Do rate helpful posts**

 

~Jatin
0 Helpful

mohanak
Cisco Employee
Cisco Employee

‎07-16-2014 01:42 AM

Certificate-Based User Authentication via Supplicant Failing

 
 

Symptoms or Issue

 

User authentication is failing on the client machine, and the user is receiving a "RADIUS Access-Reject" form of message.

 

Conditions

 

(This issue occurs with authentication protocols that require certificate validation.)

 

Possible Authentications report failure reasons:

 

"Authentication failed: 11514 Unexpectedly received empty TLS message; treating as a rejection by the client"

 

"Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate"

 

Click the magnifying glass icon from Authentications to display the following output in the Authentication Report:

 

12305 Prepared EAP-Request with another PEAP challenge

 

11006 Returned RADIUS Access-Challenge

 

11001 Received RADIUS Access-Request

 

11018 RADIUS is re-using an existing session

 

12304 Extracted EAP-Response containing PEAP challenge-response

 

11514 Unexpectedly received empty TLS message; treating as a rejection by the client

 

12512 Treat the unexpected TLS acknowledge message as a rejection from the client

 

11504 Prepared EAP-Failure

 

11003 Returned RADIUS Access-Reject

 

11006 Returned RADIUS Access-Challenge

 

11001 Received RADIUS Access-Request

 

11018 RADIUS is re-using an existing session

 

12104 Extracted EAP-Response containing EAP-FAST challenge-response

 

12815 Extracted TLS Alert message

 

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate

 

11504 Prepared EAP-Failure

 

11003 Returned RADIUS Access-Reject

 

Note This is an indication that the client does not have or does not trust the Cisco ISE certificates.

 

Possible Causes

 

The supplicant or client machine is not accepting the certificate from Cisco ISE.

 

The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate.

0 Helpful

xspeedy
Level 1
Level 1
In response to mohanak

‎01-22-2018 07:42 AM

We experienced just this issue and it was that the certificate on ISE for RADIUS expired.  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents