Had the same problem with a Lab environment at home. What`s the model of the AP and the WLC?
In my case it meant that the AP could not run 802.1x because of the model of network board installed on it. For some reason it was not ready and the firmware version 12.x could not upgrade its firmware so after debugging and trying to fix it I just gave up because cisco told me was impossible. So I changed the model of the AP. BR, Bruno Silva. 2013/12/15 Bastien Migette <bastien.mige...@gmail.com> > Hi Kevin, No matter of flex or local, dot1x is always performed by the AP. > The only thing you need to do for flex is normally to send > device-traffic-class=switch to put the port in trunk mode if you have vlan > mappings, but AFAIK nothing particular for the authentication... > > I would check debug eap xxx on the AP and see why it sends an alert. > > > 2013/12/13 Kevin Sheahan <sheaha...@gmail.com> > >> Gents, >> >> >> >> The scenario: Cisco AP in Flex Connect Local-Switching and authenticating >> 802.1x against ISE without incident. No special considerations necessary, >> EAP-FAST(EAP-TLS), anonymous PAC provisioning. When the wireless deployment >> changes to local-mode, 802.1x authentication for the AP breaks. Same >> EAP-FAST(EAP-TLS) with anonymous PAC provisioning. ISE reports: *12154 >> EAP-FAST failed SSL/TLS handshake after a client alert*. Open SSL Errors >> include: *SSL alert: code=0x20A=522 ; source=remote ; type=fatal ; >> message="unexpected_message" *and *47010861041984:error:140943F2:SSL >> routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL >> alert number 10*. >> >> >> >> My question: I’m unable to find any Cisco documentation that dictates any >> special considerations that must be made between wireless deployment modes. >> Why does this work in Flex Connect Local-Switching but not in Local Mode? >> >> >> >> My current train of thought (feel free to derail if I’m off base): As you >> know, in Local Mode all traffic is tunneled back to the controller >> (CAPWAP). All of what ISE reports is showing the switch as the NAD, and >> that is what I expect to see. However, after the EAP-FAST tunnel is built, >> the communications seem to fail and therefore EAP-TLS inner method fails. >> I’m wondering if the AP is sending the EAP-TLS session through the CAPWAP >> tunnel rather than the EAP-FAST tunnel as it should. Is this possible, or I >> am just chasing my tail? >> >> >> >> Kind Regards, >> >> >> >> Kevin Sheahan >> >> CCIE # 41349 (Security) >> >> >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc > -- Bruno Silva Network Consultant Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified Arcsight Professional Certified - ACIA/ACSA
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
