ExtremeWireless 10.11.03.0004- 802.1x EAP-TLS auth failed
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-10-2016 09:00 PM
Greetings,
I have a customer running a PoC and now we have problems with the 802.1x EAP-TLS authentication since yesterday.
No workstation is able to authenticate on a 802.1x VNS, while the legacy Cisco solution still working fine. All workstations use EAP-TLS for authentication (certificate installed).
Maybe it's related to the new Microsoft Update (https://support.microsoft.com/en-us/kb/3199173) they deployed yesterday?
The customer is running EW 10.11.03.0004.
The NPS logs show information like this:
This makes sense? The customer is trying our solution to replace the existing Cisco infrastructure, but now we are in trouble.
We asked GTAC, but there's nothing reported until now.
Any ideas? Maybe something needs to be fixed on a new FW release?
Best regards,
-Leo
I have a customer running a PoC and now we have problems with the 802.1x EAP-TLS authentication since yesterday.
No workstation is able to authenticate on a 802.1x VNS, while the legacy Cisco solution still working fine. All workstations use EAP-TLS for authentication (certificate installed).
Maybe it's related to the new Microsoft Update (https://support.microsoft.com/en-us/kb/3199173) they deployed yesterday?
The customer is running EW 10.11.03.0004.
The NPS logs show information like this:
Logging Results:Running some sniffing, we got something interesting:
Accounting information was written to the local log file.
Reason Code: 22
Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
- The user tries to connect to the network and the EW send an Access-Request to the NPS
- The NPS answer with a Access-Challenge. Inside the packet, there's an EAP-Message(79) indicating the type as "TLS EAP (EAP-TLS) (13)"
- The EW send another Access-Request with an EAP-Message (79) containing: "Type Legacy Nak (Response Only) (3)" and "Desired Auth Type: Protected EAP (EAP-PEAP) (25)".
- The NPS send an Access-Reject message with "Code: Failure (4)"
This makes sense? The customer is trying our solution to replace the existing Cisco infrastructure, but now we are in trouble.
We asked GTAC, but there's nothing reported until now.
Any ideas? Maybe something needs to be fixed on a new FW release?
Best regards,
-Leo
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-11-2016 01:13 AM
Have we tried going to 10.11.04?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-10-2016 11:23 PM
Greetings,
We are running a further investigation...
Maybe the KB wasn't the only problem.
I'll keep you informed about our progress to try to really pinpoint the root cause.
Best regards,
-Leo
We are running a further investigation...
Maybe the KB wasn't the only problem.
I'll keep you informed about our progress to try to really pinpoint the root cause.
Best regards,
-Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-10-2016 11:12 PM
Greetings Pala and Jeremy,
Following up with the issue, the customer called me telling the Cisco solution suddenly stopped working too...
Some suspects have arisen about the MS KB3199173 and the customer decided to uninstall it and voialà ... Everything come back to life!
Both Cisco and Extreme wireless solutions are operational without touching anything in the configs, just uninstalling the KB from the PC clients.
MS messed up with something in this update. The customer started a WSUS operation to mass-uninstall this KB from all PCs in the infrastructure.
Maybe someone from the Wireless Engineering/PM should take a look at it to avoid issues with other customers and maybe inform the GTAC team about our findings.
Thank you for your help!
Best regards,
-Leo
Following up with the issue, the customer called me telling the Cisco solution suddenly stopped working too...
Some suspects have arisen about the MS KB3199173 and the customer decided to uninstall it and voialà ... Everything come back to life!
Both Cisco and Extreme wireless solutions are operational without touching anything in the configs, just uninstalling the KB from the PC clients.
MS messed up with something in this update. The customer started a WSUS operation to mass-uninstall this KB from all PCs in the infrastructure.
Maybe someone from the Wireless Engineering/PM should take a look at it to avoid issues with other customers and maybe inform the GTAC team about our findings.
Thank you for your help!
Best regards,
-Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-10-2016 09:27 PM
Have you verified that the server and client certs are all valid. Also, make sure the data / time is correct on the RADIUS server. I have seen time drift cause this error before. I suggest using a NTP server for everything (just making some suggestions).
Also, check to make sure EAP-MSCHAPv2 is selected for your authentication methods ...
Also, check to make sure EAP-MSCHAPv2 is selected for your authentication methods ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎11-10-2016 09:24 PM
Hi Leo. The controller/AP is only encapsulating/decapsulating the traffic from EAPoL to EAP in the radius protocol. If there is wrong eap type it is on the client or on the radius server. I would focus to client/radius server troubleshooting. You may check the wireshark capture what eap is being sent by the client... Good luck! Z.
Regards
Zdeněk Pala
