Hi Mike. No I am not using vWLC, but that's good info that I'll have to keep in mind going forward. Thanks for your response.
Kevin Sheahan CCIE # 41349 (Security) From: Mike Rojas [mailto:mike_c...@hotmail.com] Sent: Friday, December 13, 2013 2:13 PM To: Kevin Sheahan; ccie_security@onlinestudylist.com Subject: RE: [OSL | CCIE_Security] 802.1x AP Authentication Are you using Virtual WLC? I was told by an engineer from Wireless that if you are running Virtual WLC, you must run FlexConnect. Mike Rojas _____ From: sheaha...@gmail.com <mailto:sheaha...@gmail.com> To: ccie_security@onlinestudylist.com <mailto:ccie_security@onlinestudylist.com> Date: Fri, 13 Dec 2013 09:46:33 -0500 Subject: [OSL | CCIE_Security] 802.1x AP Authentication Gents, The scenario: Cisco AP in Flex Connect Local-Switching and authenticating 802.1x against ISE without incident. No special considerations necessary, EAP-FAST(EAP-TLS), anonymous PAC provisioning. When the wireless deployment changes to local-mode, 802.1x authentication for the AP breaks. Same EAP-FAST(EAP-TLS) with anonymous PAC provisioning. ISE reports: 12154 EAP-FAST failed SSL/TLS handshake after a client alert. Open SSL Errors include: SSL alert: code=0x20A=522 ; source=remote ; type=fatal ; message="unexpected_message" and 47010861041984:error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL alert number 10. My question: I'm unable to find any Cisco documentation that dictates any special considerations that must be made between wireless deployment modes. Why does this work in Flex Connect Local-Switching but not in Local Mode? My current train of thought (feel free to derail if I'm off base): As you know, in Local Mode all traffic is tunneled back to the controller (CAPWAP). All of what ISE reports is showing the switch as the NAD, and that is what I expect to see. However, after the EAP-FAST tunnel is built, the communications seem to fail and therefore EAP-TLS inner method fails. I'm wondering if the AP is sending the EAP-TLS session through the CAPWAP tunnel rather than the EAP-FAST tunnel as it should. Is this possible, or I am just chasing my tail? Kind Regards, Kevin Sheahan CCIE # 41349 (Security) _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc <http://www.youtube.com/ipexpertinc>
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
