07-15-2014 07:46 AM - edited 03-10-2019 09:52 PM
Hi all,
We have ACS 5.1, WLC 7.0.98.0 and EAP-TLS. Wireless clients trying to access the network via one of our WLC 5508s are not getting authenticated. I can see the following on ACS:
"11514 Unexpectedly received empty TLS message; treating as a rejection by the client"
which usually means certificate errors / CA problems but clients coming on via other controllers are fine. Any suggestions?
I saw another post which suggested to check the time and discovered that the controller in question was an hour out as the time delta was not set the same as other controllers. However correcting this has not helped.
Many Thanks
Scott
07-15-2014 09:06 AM
Could you please check the validity of the server/identity certificate on ACS 5.1
To me it seem that server certificate has been expired.
What EAP flavor are you using peap-mschap?
Regards,
Jatin Katyal
**Do rate helpful posts**
07-16-2014 01:42 AM
Symptoms or Issue | User authentication is failing on the client machine, and the user is receiving a "RADIUS Access-Reject" form of message. |
Conditions | (This issue occurs with authentication protocols that require certificate validation.) Possible Authentications report failure reasons: •"Authentication failed: 11514 Unexpectedly received empty TLS message; treating as a rejection by the client" •"Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate" Click the magnifying glass icon from Authentications to display the following output in the Authentication Report: •12305 Prepared EAP-Request with another PEAP challenge •11006 Returned RADIUS Access-Challenge •11001 Received RADIUS Access-Request •11018 RADIUS is re-using an existing session •12304 Extracted EAP-Response containing PEAP challenge-response •11514 Unexpectedly received empty TLS message; treating as a rejection by the client •12512 Treat the unexpected TLS acknowledge message as a rejection from the client •11504 Prepared EAP-Failure •11003 Returned RADIUS Access-Reject •11006 Returned RADIUS Access-Challenge •11001 Received RADIUS Access-Request •11018 RADIUS is re-using an existing session •12104 Extracted EAP-Response containing EAP-FAST challenge-response •12815 Extracted TLS Alert message •12153 EAP-FAST failed SSL/TLS handshake because the client rejected the Cisco ISE local-certificate •11504 Prepared EAP-Failure •11003 Returned RADIUS Access-Reject Note This is an indication that the client does not have or does not trust the Cisco ISE certificates. |
Possible Causes | The supplicant or client machine is not accepting the certificate from Cisco ISE. The client machine is configured to validate the server certificate, but is not configured to trust the Cisco ISE certificate. |
01-22-2018 07:42 AM
We experienced just this issue and it was that the certificate on ISE for RADIUS expired.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide