Scribd Logo
Upload

Welcome to Scribd!

  • After Eap Certificate Change

    Uploaded by

    Sharib Nomani
    7K views4 pages

    Original Title

    After Eap Certificate change

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7K views4 pages

    After Eap Certificate Change

    Uploaded by

    Sharib Nomani

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    8/17/2021 Cisco Identity Services Engine

    Steps
    Overview
      11001 Received RADIUS Access-Request
    Event 5400 Authentication failed
      11017 RADIUS created a new session
    Username USERNAME   15049 Evaluating Policy Group

      15008 Evaluating Service Selection Policy


    Endpoint Id 2C:8D:B1:A6:BE:2C

      15048 Queried PIP - DEVICE.Device Type


    Endpoint Profile   11507 Extracted EAP-Response/Identity

    Authentication Policy Default   12500 Prepared EAP-Request proposing EAP-TLS with challenge

      11006 Returned RADIUS Access-Challenge


    Authorization Policy Default
      11001 Received RADIUS Access-Request

    Authorization Result   11018 RADIUS is re-using an existing session

    Extracted EAP-Response containing EAP-TLS challenge-response and


      12502
    accepting EAP-TLS as negotiated

      12800 Extracted first TLS record; TLS handshake started

      12545 Client requested EAP-TLS session ticket

    The EAP-TLS session ticket received from supplicant while the stateless
      12542
    session resume is disabled. Performing full authentication

      12805 Extracted TLS ClientHello message

      12806 Prepared TLS ServerHello message

      12807 Prepared TLS Certificate message

      12809 Prepared TLS CertificateRequest message

      12505 Prepared EAP-Request with another EAP-TLS challenge

      11006 Returned RADIUS Access-Challenge

      11001 Received RADIUS Access-Request

      11018 RADIUS is re-using an existing session

      12504 Extracted EAP-Response containing EAP-TLS challenge-response

      12505 Prepared EAP-Request with another EAP-TLS challenge

      11006 Returned RADIUS Access-Challenge

      11001 Received RADIUS Access-Request

      11018 RADIUS is re-using an existing session

      12504 Extracted EAP-Response containing EAP-TLS challenge-response


      12505 Prepared EAP-Request with another EAP-TLS challenge
      11006 Returned RADIUS Access-Challenge

      11001 Received RADIUS Access-Request


    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130806080&sessionID=ce448d0600000d08611b8540 1/4
    8/17/2021 Cisco Identity Services Engine

    Authentication Details   11018 RADIUS is re-using an existing session

      12504 Extracted EAP-Response containing EAP-TLS challenge-response


    Source Timestamp 2021-08-17 15:13:15.991
      12505 Prepared EAP-Request with another EAP-TLS challenge
    Received Timestamp 2021-08-17 15:13:15.992   11006 Returned RADIUS Access-Challenge
      11001 Received RADIUS Access-Request
    Policy Server DXB1VSYISE001
      11018 RADIUS is re-using an existing session
    Event 5400 Authentication failed   12504 Extracted EAP-Response containing EAP-TLS challenge-response

    12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the   12505 Prepared EAP-Request with another EAP-TLS challenge
    Failure Reason
    client certificates chain   11006 Returned RADIUS Access-Challenge

    Ensure that the certificate authority that signed the client's certificate is correctly   11001 Received RADIUS Access-Request
    installed in the Certificate Store page (Administration > System > Certificates >   11018 RADIUS is re-using an existing session
    Resolution Certificate Management > Trusted Certificates). Check the
    OpenSSLErrorMessage and OpenSSLErrorStack for more information. If CRL is   12504 Extracted EAP-Response containing EAP-TLS challenge-response
    configured, check the System Diagnostics for possible CRL downloading faults.
      12811 Extracted TLS Certificate message containing client certificate
    EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client   12814 Prepared TLS Alert message
    Root cause
    certificates chain
      12817 TLS handshake failed
    Username USERNAME EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client
      12514
    certificates chain
    Endpoint Id 2C:8D:B1:A6:BE:2C
      12507 EAP-TLS authentication failed

    Calling Station Id 2C-8D-B1-A6-BE-2C   12505 Prepared EAP-Request with another EAP-TLS challenge

      11006 Returned RADIUS Access-Challenge


    Audit Session Id ce448d0600000d08611b8540
      11001 Received RADIUS Access-Request

    Authentication Method dot1x   11018 RADIUS is re-using an existing session


      12504 Extracted EAP-Response containing EAP-TLS challenge-response
    Authentication Protocol EAP-TLS
      12818 Expected TLS acknowledge for last alert but received another message
    Service Type Framed   11500 Invalid or unexpected EAP payload received

    Network Device aedxb1-mena-mr42-wap302   61025 Open secure connection with TLS peer
      11504 Prepared EAP-Failure
    Device Type All Device Types
      11003 Returned RADIUS Access-Reject

    Location All Locations

    NAS IPv4 Address 10.41.15.55

    NAS Port Type Wireless - IEEE 802.11

    Response Time 4 milliseconds

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130806080&sessionID=ce448d0600000d08611b8540 2/4
    8/17/2021 Cisco Identity Services Engine

    Other Attributes

    ConfigVersionId 626

    Device Port 34248

    DestinationPort 1812

    RadiusPacketType AccessRequest

    Protocol Radius

    NAS-Port 1

    Framed-MTU 1400

    37CPMSessionID=ce448d0600000d08611b8540;40SessionID=DXB1VSYISE0
    State
    01/418425663/236174;

    Acct-Session-Id 538280B5762361E2

    Connect-Info CONNECT 54.00 Mbps, 802.11ac, RSSI: 42, Channel: 60

    undefined-186 00:0f:ac:04

    undefined-187 00:0f:ac:04

    undefined-188 00:0f:ac:01

    NetworkDeviceProfileId b0699505-3150-4215-a80e-6753d45bf56c

    IsThirdPartyDeviceFlow false

    AcsSessionID DXB1VSYISE001/418425663/236174

    SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown


    OpenSSLErrorMessage
    CA - error unable to get issuer certificate locally"

    11292:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify


    OpenSSLErrorStack
    failed:s3_srvr.c:3451:

    CPMSessionID ce448d0600000d08611b8540

    EndPointMACAddress 2C-8D-B1-A6-BE-2C

    ISEPolicySetName Default

    TLSCipher unknown

    TLSVersion TLSv1.2

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130806080&sessionID=ce448d0600000d08611b8540 3/4
    8/17/2021 Cisco Identity Services Engine

    DTLSSupport Unknown

    IPSEC IPSEC#Is IPSEC Device#No

    Model Name Unknown

    Software Version Unknown

    Network Device Profile Cisco

    Location Location#All Locations

    Device Type Device Type#All Device Types

    RADIUS Username USERNAME

    NAS-Identifier E0-CB-BC-8D-44-CE:vap0

    Device IP Address 10.41.15.55

    Called-Station-ID E2-CB-AC-8D-44-CE:IntlSOS-Business-Wi-Fi

    CiscoAVPair audit-session-id=ce448d0600000d08611b8540

    Result

    RadiusPacketType AccessReject

    Session Events

    2021-08-17 15:13:15.992 Authentication failed

    2021-08-17 13:45:36.731 Authentication failed

    https://10.41.2.220/admin/liveAuthenticationDetail.do?ID=1629051130806080&sessionID=ce448d0600000d08611b8540 4/4

    You might also like