Hi Kevin, No matter of flex or local, dot1x is always performed by the AP. The only thing you need to do for flex is normally to send device-traffic-class=switch to put the port in trunk mode if you have vlan mappings, but AFAIK nothing particular for the authentication...
I would check debug eap xxx on the AP and see why it sends an alert. 2013/12/13 Kevin Sheahan <sheaha...@gmail.com> > Gents, > > > > The scenario: Cisco AP in Flex Connect Local-Switching and authenticating > 802.1x against ISE without incident. No special considerations necessary, > EAP-FAST(EAP-TLS), anonymous PAC provisioning. When the wireless deployment > changes to local-mode, 802.1x authentication for the AP breaks. Same > EAP-FAST(EAP-TLS) with anonymous PAC provisioning. ISE reports: *12154 > EAP-FAST failed SSL/TLS handshake after a client alert*. Open SSL Errors > include: *SSL alert: code=0x20A=522 ; source=remote ; type=fatal ; > message="unexpected_message" *and *47010861041984:error:140943F2:SSL > routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL > alert number 10*. > > > > My question: I’m unable to find any Cisco documentation that dictates any > special considerations that must be made between wireless deployment modes. > Why does this work in Flex Connect Local-Switching but not in Local Mode? > > > > My current train of thought (feel free to derail if I’m off base): As you > know, in Local Mode all traffic is tunneled back to the controller > (CAPWAP). All of what ISE reports is showing the switch as the NAD, and > that is what I expect to see. However, after the EAP-FAST tunnel is built, > the communications seem to fail and therefore EAP-TLS inner method fails. > I’m wondering if the AP is sending the EAP-TLS session through the CAPWAP > tunnel rather than the EAP-FAST tunnel as it should. Is this possible, or I > am just chasing my tail? > > > > Kind Regards, > > > > Kevin Sheahan > > CCIE # 41349 (Security) > > > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
