locked
802.1x [EAP-TLS] with Cisco 1130 and NPS RRS feed

  • General discussion

  • Hey all,

    I got the following problem:

    Im trying to establish a secure EAP-TLS Connection for my 802.1x with a NPS-Server. With user certificates I experience no problems. Now I'm trying to use computer certificates and it seems that my client issn't responding to the EAP-TLS challenge of my NPS.

    Whats's the best way to solve this problem?

    Encosed you will find logs of the Microsoft Network Monitor and my Cisco AP:

    9507	11:59:46 AM 4/27/2012	404.6798434		10.x.x.x	xxxxxxxxx  	EAP	EAP:Response, Type = Identity	{EAP:632, RADIUS:631, UDP:17, IPv4:16}
    
    9516	11:59:46 AM 4/27/2012	404.6844146		xxxxxxxxx  	10.x.x.x	EAP	EAP:Request, Type = EAP-TLS	{EAP:632, RADIUS:631, UDP:17, IPv4:16}


    *Mar  1 02:30:52.712: dot11_auth_add_client_entry: Create new client 74e5.0b23.f95a for application 0x1
    *Mar  1 02:30:52.712: dot11_auth_initialize_client: 74e5.0b23.f95a is added to the client list for application 0x1
    *Mar  1 02:30:52.712: dot11_auth_add_client_entry: req->auth_type 0
    *Mar  1 02:30:52.713: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    *Mar  1 02:30:52.713: dot11_auth_add_client_entry: eap list name: eap_methods1
    *Mar  1 02:30:52.713: dot11_run_auth_methods: Start auth method EAP or LEAP
    *Mar  1 02:30:52.713: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  1 02:30:52.713: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74e5.0b23.f95a
    *Mar  1 02:30:52.713: EAPOL pak dump tx
    *Mar  1 02:30:52.713: EAPOL Version: 0x1  type: 0x0  length: 0x003D
    *Mar  1 02:30:52.713: EAP code: 0x1  id: 0x1  length: 0x003D type: 0x1
    01901400:                   0100003D 0101003D          ...=...=
    01901410: 01006E65 74776F72 6B69643D 42656368  ..networkid=**
    01901420: 746C652D 43657274 2C6E6173 69643D42  ***,nasid=*******
    01901440: 2C706F72 7469643D 30                 ,portid=0
    *Mar  1 02:30:52.714: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 02:30:52.714: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 02:30:52.715: dot11_auth_dot1x_send_id_req_to_client: Client 74e5.0b23.f95a timer started for 30 seconds
    *Mar  1 02:30:52.745: dot11_auth_parse_client_pak: Received EAPOL packet from 74e5.0b23.f95a
    *Mar  1 02:30:52.745: EAPOL pak dump rx
    *Mar  1 02:30:52.745: EAPOL Version: 0x1  type: 0x1  length: 0x0000
    01CC9790:                   01010000                   ....
    *Mar  1 02:30:52.745: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 74e5.0b23.f95a
    *Mar  1 02:30:52.745: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74e5.0b23.f95a
    *Mar  1 02:30:52.746: EAPOL pak dump tx
    *Mar  1 02:30:52.746: EAPOL Version: 0x1  type: 0x0  length: 0x003D
    *Mar  1 02:30:52.746: EAP code: 0x1  id: 0x2  length: 0x003D type: 0x1
    019017B0: 0100003D 0102003D 01006E65 74776F72  ...=...=..networ
    019017C0: 6B69643D 42656368 746C652D 43657274  kid=*****
    019017D0: 2C6E6173 69643D42 65636874 6C652D43  ,nasid=*****
    019017E0: 6572742D 54657374 2C706F72 7469643D  *****,portid=
    019017F0: 30                                   0
    *Mar  1 02:30:52.747: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 02:30:52.747: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 02:30:52.747: dot11_auth_dot1x_send_id_req_to_client: Client 74e5.0b23.f95a timer started for 30 seconds
    *Mar  1 02:30:52.749: dot11_auth_parse_client_pak: Received EAPOL packet from 74e5.0b23.f95a
    *Mar  1 02:30:52.749: EAPOL pak dump rx
    *Mar  1 02:30:52.749: EAPOL Version: 0x1  type: 0x0  length: 0x0022
    *Mar  1 02:30:52.749: EAP code: 0x2  id: 0x1  length: 0x0022 type: 0x1
    01C5BBA0: 01000022 02010022 01686F73 742F5348  ..."...".host/**
    01C5BBB0: 44454141 48574C44 30392E62 65636874  ***
    01C5BBC0: 6C652E6E 6574                        ***
    *Mar  1 02:30:52.750: dot11_auth_parse_client_pak: id is not matching req-id:1resp-id:2, waiting for response
    *Mar  1 02:30:52.752: dot11_auth_parse_client_pak: Received EAPOL packet from 74e5.0b23.f95a
    *Mar  1 02:30:52.752: EAPOL pak dump rx
    *Mar  1 02:30:52.752: EAPOL Version: 0x1  type: 0x0  length: 0x0022
    *Mar  1 02:30:52.752: EAP code: 0x2  id: 0x2  length: 0x0022 type: 0x1
    01CBE3C0:          01000022 02020022 01686F73      ..."...".hos
    01CBE3D0: 742F5348 44454141 48574C44 30392E62  t/****
    01CBE3E0: 65636874 6C652E6E 6574               **
    *Mar  1 02:30:52.753: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 74e5.0b23.f95a
    *Mar  1 02:30:52.753: dot11_auth_dot1x_send_response_to_server: Sending client 74e5.0b23.f95a data to server
    *Mar  1 02:30:52.754: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
    *Mar  1 02:30:52.768: dot11_auth_dot1x_parse_aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
    *Mar  1 02:30:52.768: dot11_auth_dot1x_parse_aaa_resp: found session timeout 30 sec
    *Mar  1 02:30:52.768: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
    *Mar  1 02:30:52.769: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_REPLY) for 74e5.0b23.f95a
    *Mar  1 02:30:52.769: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 74e5.0b23.f95a
    *Mar  1 02:30:52.769: EAPOL pak dump tx
    *Mar  1 02:30:52.769: EAPOL Version: 0x1  type: 0x0  length: 0x0006
    *Mar  1 02:30:52.769: EAP code: 0x1  id: 0x3  length: 0x0006 type: 0xD
    01908CB0: 01000006 01030006 0D20               .........
    *Mar  1 02:30:52.769: dot11_auth_send_msg:  sending data to requestor status 1
    *Mar  1 02:30:52.769: dot11_auth_send_msg: Sending EAPOL to requestor
    *Mar  1 02:30:52.770: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
    *Mar  1 02:30:52.774: dot11_auth_client_abort: Received abort request for client 74e5.0b23.f95a
    *Mar  1 02:30:52.774: dot11_auth_client_abort: Aborting client 74e5.0b23.f95a for application 0x1
    *Mar  1 02:30:52.775: dot11_auth_delete_client_entry: 74e5.0b23.f95a is deleted for application 0x1

    Thanks in advance for your help.

    Regards,

    Chris


    Friday, April 27, 2012 10:12 AM

All replies