Hey all,
I got the following problem:
Im trying to establish a secure EAP-TLS Connection for my 802.1x with a NPS-Server. With user certificates I experience no problems. Now I'm trying to use computer certificates and it seems that my client issn't responding to the EAP-TLS challenge of my
NPS.
Whats's the best way to solve this problem?
Encosed you will find logs of the Microsoft Network Monitor and my Cisco AP:
9507 11:59:46 AM 4/27/2012 404.6798434 10.x.x.x xxxxxxxxx EAP EAP:Response, Type = Identity {EAP:632, RADIUS:631, UDP:17, IPv4:16}
9516 11:59:46 AM 4/27/2012 404.6844146 xxxxxxxxx 10.x.x.x EAP EAP:Request, Type = EAP-TLS {EAP:632, RADIUS:631, UDP:17, IPv4:16}
*Mar 1 02:30:52.712: dot11_auth_add_client_entry: Create new client 74e5.0b23.f95a for application 0x1
*Mar 1 02:30:52.712: dot11_auth_initialize_client: 74e5.0b23.f95a is added to the client list for application 0x1
*Mar 1 02:30:52.712: dot11_auth_add_client_entry: req->auth_type 0
*Mar 1 02:30:52.713: dot11_auth_add_client_entry: auth_methods_inprocess: 2
*Mar 1 02:30:52.713: dot11_auth_add_client_entry: eap list name: eap_methods1
*Mar 1 02:30:52.713: dot11_run_auth_methods: Start auth method EAP or LEAP
*Mar 1 02:30:52.713: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 1 02:30:52.713: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74e5.0b23.f95a
*Mar 1 02:30:52.713: EAPOL pak dump tx
*Mar 1 02:30:52.713: EAPOL Version: 0x1 type: 0x0 length: 0x003D
*Mar 1 02:30:52.713: EAP code: 0x1 id: 0x1 length: 0x003D type: 0x1
01901400: 0100003D 0101003D ...=...=
01901410: 01006E65 74776F72 6B69643D 42656368 ..networkid=**
01901420: 746C652D 43657274 2C6E6173 69643D42 ***,nasid=*******
01901440: 2C706F72 7469643D 30 ,portid=0
*Mar 1 02:30:52.714: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 02:30:52.714: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 02:30:52.715: dot11_auth_dot1x_send_id_req_to_client: Client 74e5.0b23.f95a timer started for 30 seconds
*Mar 1 02:30:52.745: dot11_auth_parse_client_pak: Received EAPOL packet from 74e5.0b23.f95a
*Mar 1 02:30:52.745: EAPOL pak dump rx
*Mar 1 02:30:52.745: EAPOL Version: 0x1 type: 0x1 length: 0x0000
01CC9790: 01010000 ....
*Mar 1 02:30:52.745: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 74e5.0b23.f95a
*Mar 1 02:30:52.745: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74e5.0b23.f95a
*Mar 1 02:30:52.746: EAPOL pak dump tx
*Mar 1 02:30:52.746: EAPOL Version: 0x1 type: 0x0 length: 0x003D
*Mar 1 02:30:52.746: EAP code: 0x1 id: 0x2 length: 0x003D type: 0x1
019017B0: 0100003D 0102003D 01006E65 74776F72 ...=...=..networ
019017C0: 6B69643D 42656368 746C652D 43657274 kid=*****
019017D0: 2C6E6173 69643D42 65636874 6C652D43 ,nasid=*****
019017E0: 6572742D 54657374 2C706F72 7469643D *****,portid=
019017F0: 30 0
*Mar 1 02:30:52.747: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 02:30:52.747: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 02:30:52.747: dot11_auth_dot1x_send_id_req_to_client: Client 74e5.0b23.f95a timer started for 30 seconds
*Mar 1 02:30:52.749: dot11_auth_parse_client_pak: Received EAPOL packet from 74e5.0b23.f95a
*Mar 1 02:30:52.749: EAPOL pak dump rx
*Mar 1 02:30:52.749: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 1 02:30:52.749: EAP code: 0x2 id: 0x1 length: 0x0022 type: 0x1
01C5BBA0: 01000022 02010022 01686F73 742F5348 ..."...".host/**
01C5BBB0: 44454141 48574C44 30392E62 65636874 ***
01C5BBC0: 6C652E6E 6574 ***
*Mar 1 02:30:52.750: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response
*Mar 1 02:30:52.752: dot11_auth_parse_client_pak: Received EAPOL packet from 74e5.0b23.f95a
*Mar 1 02:30:52.752: EAPOL pak dump rx
*Mar 1 02:30:52.752: EAPOL Version: 0x1 type: 0x0 length: 0x0022
*Mar 1 02:30:52.752: EAP code: 0x2 id: 0x2 length: 0x0022 type: 0x1
01CBE3C0: 01000022 02020022 01686F73 ..."...".hos
01CBE3D0: 742F5348 44454141 48574C44 30392E62 t/****
01CBE3E0: 65636874 6C652E6E 6574 **
*Mar 1 02:30:52.753: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 74e5.0b23.f95a
*Mar 1 02:30:52.753: dot11_auth_dot1x_send_response_to_server: Sending client 74e5.0b23.f95a data to server
*Mar 1 02:30:52.754: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
*Mar 1 02:30:52.768: dot11_auth_dot1x_parse_aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
*Mar 1 02:30:52.768: dot11_auth_dot1x_parse_aaa_resp: found session timeout 30 sec
*Mar 1 02:30:52.768: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
*Mar 1 02:30:52.769: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 74e5.0b23.f95a
*Mar 1 02:30:52.769: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 74e5.0b23.f95a
*Mar 1 02:30:52.769: EAPOL pak dump tx
*Mar 1 02:30:52.769: EAPOL Version: 0x1 type: 0x0 length: 0x0006
*Mar 1 02:30:52.769: EAP code: 0x1 id: 0x3 length: 0x0006 type: 0xD
01908CB0: 01000006 01030006 0D20 .........
*Mar 1 02:30:52.769: dot11_auth_send_msg: sending data to requestor status 1
*Mar 1 02:30:52.769: dot11_auth_send_msg: Sending EAPOL to requestor
*Mar 1 02:30:52.770: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
*Mar 1 02:30:52.774: dot11_auth_client_abort: Received abort request for client 74e5.0b23.f95a
*Mar 1 02:30:52.774: dot11_auth_client_abort: Aborting client 74e5.0b23.f95a for application 0x1
*Mar 1 02:30:52.775: dot11_auth_delete_client_entry: 74e5.0b23.f95a is deleted for application 0x1
Thanks in advance for your help.
Regards,
Chris
802.1x [EAP-TLS] with Cisco 1130 and NPS
