11-02-2016 02:57 AM - edited 07-05-2021 06:04 AM
Hi,
13000 clients (wired, wireless, including Windows 7 clients and Cisco IP phones) are involved in our secured network strategy for many years.
We are using 3x ACS 5.5 servers (virtual machines in vSphere 6 environment) for radius Authentication with vlan "push".
Windows clients are authenticated with PEAP protocol (MS-CHAP v2) and Cisco wireless IP phones with EAP-TLS (mic certificate validation).
On september, Microsoft launched KB3175024 destinated to Windows 7 clients. After installation, Windows 7 clients couldn't connect to network, because they were not authorized by ACS server, with failure message "11514 Unexpectedly received empty TLS message; treating as a rejection by the client".
We opened a case by Microsoft but they were unable to investigate the cause of this issue according to the service PAK.
We investigated to Windows 10 issues, because we got the same error message with some Windows 10 newly configured clients.
We found the solution at this forum (for Windows 10), while upgrading ACS servers from 5.5 to 5.8 release and moving the certificate key strengh from 512 to 2048 bits. That was the modification included in the KB3175024 : As for Windows 10, certificate key must be at least 1024 bits ..
We associated the newly created key for EAP on our third ACS server and pushed (with Cisco Prime Infrastructure) a new Radius order list to our access switches, so as to recover network access and connectivity to any wired clients.
But we didn't change ACS the order of the Radius servers in our wifi controllers (WiSM2), because more than 600 Wireless phones (Cisco 7925G) are using EAP-TLS authentication with MIC, assuming that the former EAP certificate was donwloaded in every 7925G phone, during initial setup (indeed the ACS server must be authentified by the Phone in EAP-TLS handshake).
So the issue is coming here : "how replacing or adding the newly created certificate to every phone without the need to perform hundred of https sessions ?".
Now the primary and the secondary ACS servers are using the same old certificate for answering to wifi controller requests. Another secondary ACS server uses the new certificate as first Radius server for wired clients.
This situation should not stay for a long time, in case of failure of one ore more ACS server and in case of future upgrade ..
Any help would be appreciated,
Best Regards,
Bruno L.
11-02-2016 11:44 AM
We are having the same issue except we have had to uninstall 3 other additional Windows Updates and/or Security Updates in order for our Windows 7 clients to be able to authenticate to the wireless network. Cisco support said the Windows updates are the culprit, but we can't leave our Windows updates turned off forever. Hoping more people have this issue. We are stuck.
Thanks
11-03-2016 01:04 AM
Hi Phil2627,
We did first block our WSUS server updates so as to keep upgrading all the clients.
But we had to disable pae authentication on almost 400 ports, in order to get back connectivity to already upgraded clients and uninstall the Windows SP.
We have upgraded our ACS cluster to 5.8 and have built a new EAP 2048 bits certificate.
Maybe it should be sufficient to built only a stronger key, if you are using Windows 7 clients solely.
Regards,
BL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide