Scribd Logo
Upload

Welcome to Scribd!

  • 13K views

    Before Eap Certificate Change

    Uploaded by

    Sharib Nomani
    The authentication failed due to an EAP-TLS handshake failure caused by the client rejecting the local server certificate. The failure reason is provided along with troubleshooting steps to check the server certificate configuration and that the certificate authority is correctly installed on the client.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Before Eap Certificate Change

    Uploaded by

    Sharib Nomani
    13K views4 pages
    The authentication failed due to an EAP-TLS handshake failure caused by the client rejecting the local server certificate. The failure reason is provided along with troubleshooting steps to check the server certificate configuration and that the certificate authority is correctly installed on the client.

    Original Title

    Before Eap Certificate change

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The authentication failed due to an EAP-TLS handshake failure caused by the client rejecting the local server certificate. The failure reason is provided along with troubleshooting steps to check the server certificate configuration and that the certificate authority is correctly installed on the client.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    13K views4 pages

    Before Eap Certificate Change

    Uploaded by

    Sharib Nomani
    The authentication failed due to an EAP-TLS handshake failure caused by the client rejecting the local server certificate. The failure reason is provided along with troubleshooting steps to check the server certificate configuration and that the certificate authority is correctly installed on the client.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 4

    8/17/2021 Cisco Identity Services Engine

    Steps
    Overview
      11001 Received RADIUS Access-Request
    Event 5400 Authentication failed
      11017 RADIUS created a new session
    Username USERNAME   15049 Evaluating Policy Group

      15008 Evaluating Service Selection Policy


    Endpoint Id 2C:8D:B1:A6:BE:2C

      15048 Queried PIP - DEVICE.Device Type


    Endpoint Profile   11507 Extracted EAP-Response/Identity

    Authentication Policy Default   12500 Prepared EAP-Request proposing EAP-TLS with challenge

      11006 Returned RADIUS Access-Challenge


    Authorization Policy Default
      11001 Received RADIUS Access-Request

    Authorization Result   11018 RADIUS is re-using an existing session

    Extracted EAP-Response containing EAP-TLS challenge-response and


      12502
    accepting EAP-TLS as negotiated

      12800 Extracted first TLS record; TLS handshake started

      12545 Client requested EAP-TLS session ticket

    The EAP-TLS session ticket received from supplicant while the stateless
      12542
    session resume is disabled. Performing full authentication

      12805 Extracted TLS ClientHello message

      12806 Prepared TLS ServerHello message

      12807 Prepared TLS Certificate message

      12809 Prepared TLS CertificateRequest message

      12505 Prepared EAP-Request with another EAP-TLS challenge

      11006 Returned RADIUS Access-Challenge

      11001 Received RADIUS Access-Request

      11018 RADIUS is re-using an existing session

      12504 Extracted EAP-Response containing EAP-TLS challenge-response

      12815 Extracted TLS Alert message

    EAP-TLS failed SSL/TLS handshake because the client rejected the ISE
      12520
    local-certificate

      12507 EAP-TLS authentication failed

      61025 Open secure connection with TLS peer


      11504 Prepared EAP-Failure
      11003 Returned RADIUS Access-Reject

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 1/4
    8/17/2021 Cisco Identity Services Engine

    Authentication Details

    Source Timestamp 2021-08-17 08:48:45.04

    Received Timestamp 2021-08-17 08:48:45.041

    Policy Server DXB1VSYISE001

    Event 5400 Authentication failed

    12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE
    Failure Reason
    local-certificate

    Check whether the proper server certificate is installed and configured for EAP in
    the Local Certificates page ( Administration > System > Certificates > Local
    Certificates ). Also ensure that the certificate authority that signed this server
    Resolution certificate is correctly installed in client's supplicant. Check the previous steps in
    the log for this EAP-TLS conversation for a message indicating why the
    handshake failed. Check the OpenSSLErrorMessage and OpenSSLErrorStack for
    more information.

    EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-
    Root cause
    certificate

    Username USERNAME

    Endpoint Id 2C:8D:B1:A6:BE:2C

    Calling Station Id 2C-8D-B1-A6-BE-2C

    Audit Session Id ce448d0600000ced611b3fac

    Authentication Method dot1x

    Authentication Protocol EAP-TLS

    Service Type Framed

    Network Device aedxb1-mena-mr42-wap302

    Device Type All Device Types

    Location All Locations

    NAS IPv4 Address 10.41.15.55

    NAS Port Type Wireless - IEEE 802.11

    Response Time 6 milliseconds

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 2/4
    8/17/2021 Cisco Identity Services Engine

    Other Attributes

    ConfigVersionId 622

    Device Port 34248

    DestinationPort 1812

    RadiusPacketType AccessRequest

    Protocol Radius

    NAS-Port 1

    Framed-MTU 1400

    37CPMSessionID=ce448d0600000ced611b3fac;40SessionID=DXB1VSYISE0
    State
    01/418425663/208182;

    Acct-Session-Id AD24A11798CB47D5

    Connect-Info CONNECT 54.00 Mbps, 802.11ac, RSSI: 46, Channel: 60

    undefined-186 00:0f:ac:04

    undefined-187 00:0f:ac:04

    undefined-188 00:0f:ac:01

    NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c

    IsThirdPartyDeviceFlow false

    AcsSessionID DXB1VSYISE001/418425663/208182

    SSL alert: code=0x230=560 ; source=remote ; type=fatal ; message="unknown


    OpenSSLErrorMessage
    CA"

    11295:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown


    OpenSSLErrorStack
    ca:s3_pkt.c:1494:SSL alert number 48

    CPMSessionID ce448d0600000ced611b3fac

    EndPointMACAddress 2C-8D-B1-A6-BE-2C

    ISEPolicySetName Default

    DTLSSupport Unknown

    IPSEC IPSEC#Is IPSEC Device#No

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 3/4
    8/17/2021 Cisco Identity Services Engine

    Model Name Unknown

    Software Version Unknown

    Network Device Profile Cisco

    Location Location#All Locations

    Device Type Device Type#All Device Types

    RADIUS Username USERNAME

    NAS-Identifier E0-CB-BC-8D-44-CE:vap0

    Device IP Address 10.41.15.55

    Called-Station-ID E2-CB-AC-8D-44-CE:IntlSOS-Business-Wi-Fi

    CiscoAVPair audit-session-id=ce448d0600000ced611b3fac

    Result

    RadiusPacketType AccessReject

    Session Events

    2021-08-17 08:54:01.152 Authentication failed

    2021-08-17 08:48:45.041 Authentication failed

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130792616&sessionID=ce448d0600000ced611b3fac 4/4

    You might also like