windows 7 EAP/TLS issue

bbxie · ‎11-16-2009

Hi, has anybody seen the same issue previously:

1. WiSM 5.2.193/AP1252/ACS5.0/WINDOWS7 laptop/EAP-TLS authentication for the WLAN

2. Each time the client try to join the WLAN failed, there's no Radius authentication report for this failed connection in ACS5.0

3. When debug client xxxx in WLC, it says:

Sending EAP-Request/Identity to mobile

Received EAPOL EAPPKT from mobile

Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile

It seems the client failed in the phase one of EAP-TLS(setup the TLS link).

I suspect that the client/server/CA certificates have some problem because these certs are used in the EAP-TLS phase one TLS setup. However I've been told the certs have no problem, their CA server engineer had checked. I don't have more evidence on showing the customer the certs had problem.

Now I can't get the support bundle from ACS and don't have other Laptop(XP or Vista)for testing.

Any idea on it? Any feedback will be appreciated

Robert.N.Barrett_2 · ‎11-17-2009

It seems to me that a certificate problem would get logged on the ACS server (it did when I tested 5.0). In order for there to be a certificate problem, the ACS server would have needed to present it's certificate to the WLC/AP in order for the client to receive/verify it (that's the first step in EAP-TLS). Therefore, something should have been logged in ACS, and I've found the ACS 5 logging to be pretty complete.

Are you sure you have the Windows 7 client properly configured for EAP-TLS? If you're not sure, is there any chance of using WireShark to do a wireless capture and see what kind of EAP the client is trying to perform?

What wireless supplicant are you using with Windows 7, and what flavor (Enterprise, Home, etc.) of Windows 7 are you running?