Gents,
The scenario: Cisco AP in Flex Connect Local-Switching and authenticating 802.1x against ISE without incident. No special considerations necessary, EAP-FAST(EAP-TLS), anonymous PAC provisioning. When the wireless deployment changes to local-mode, 802.1x authentication for the AP breaks. Same EAP-FAST(EAP-TLS) with anonymous PAC provisioning. ISE reports: 12154 EAP-FAST failed SSL/TLS handshake after a client alert. Open SSL Errors include: SSL alert: code=0x20A=522 ; source=remote ; type=fatal ; message="unexpected_message" and 47010861041984:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL alert number 10. My question: I'm unable to find any Cisco documentation that dictates any special considerations that must be made between wireless deployment modes. Why does this work in Flex Connect Local-Switching but not in Local Mode? My current train of thought (feel free to derail if I'm off base): As you know, in Local Mode all traffic is tunneled back to the controller (CAPWAP). All of what ISE reports is showing the switch as the NAD, and that is what I expect to see. However, after the EAP-FAST tunnel is built, the communications seem to fail and therefore EAP-TLS inner method fails. I'm wondering if the AP is sending the EAP-TLS session through the CAPWAP tunnel rather than the EAP-FAST tunnel as it should. Is this possible, or I am just chasing my tail? Kind Regards, Kevin Sheahan CCIE # 41349 (Security)
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
