Re: [OSL | CCIE_Security] 802.1x AP Authentication

Fri, 13 Dec 2013 11:14:00 -0800 

Are you using Virtual WLC? I was told by an engineer from Wireless that if you 
are running Virtual WLC, you must run FlexConnect. 

Mike Rojas


From: [email protected]
To: [email protected]
Date: Fri, 13 Dec 2013 09:46:33 -0500
Subject: [OSL | CCIE_Security] 802.1x AP Authentication

Gents, The scenario: Cisco AP in Flex Connect Local-Switching and 
authenticating 802.1x against ISE without incident. No special considerations 
necessary, EAP-FAST(EAP-TLS), anonymous PAC provisioning. When the wireless 
deployment changes to local-mode, 802.1x authentication for the AP breaks. Same 
EAP-FAST(EAP-TLS) with anonymous PAC provisioning. ISE reports: 12154 EAP-FAST 
failed SSL/TLS handshake after a client alert. Open SSL Errors include: SSL 
alert: code=0x20A=522 ; source=remote ; type=fatal ; 
message="unexpected_message" and 47010861041984:error:140943F2:SSL 
routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL alert 
number 10. My question: I’m unable to find any Cisco documentation that 
dictates any special considerations that must be made between wireless 
deployment modes. Why does this work in Flex Connect Local-Switching but not in 
Local Mode?  My current train of thought (feel free to derail if I’m off base): 
As you know, in Local Mode all traffic is tunneled back to the controller 
(CAPWAP). All of what ISE reports is showing the switch as the NAD, and that is 
what I expect to see. However, after the EAP-FAST tunnel is built, the 
communications seem to fail and therefore EAP-TLS inner method fails. I’m 
wondering if the AP is sending the EAP-TLS session through the CAPWAP tunnel 
rather than the EAP-FAST tunnel as it should. Is this possible, or I am just 
chasing my tail? Kind Regards, Kevin SheahanCCIE # 41349 (Security) 
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc                                
          
_______________________________________________
Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos ::

iPexpert on YouTube: www.youtube.com/ipexpertinc

Reply via email to