There is another thing to mention, ISE will always sends an access-reject after successful PAC Provisioning (so the NAD will not grant network access right after PAC Provisionning), so the switch will therefore enter auth fail state. It might take a while for reauth to happen.
Example after setting an AP to FlexConnect in my lab: Dec 16 15:39:16.164: %AUTHMGR-5-START: Starting 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C bast_3560# bast_3560# Dec 16 15:39:30.878: %DOT1X-5-FAIL: Authentication failed for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C Dec 16 15:39:30.878: %AUTHMGR-7-RESULT: Authentication result 'fail' from 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C bast_3560# Dec 16 15:39:30.878: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007D916424C9C ==60Sec default reauth timer Dec 16 15:40:31.083: %AUTHMGR-5-START: Starting 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC Dec 16 15:40:31.385: %DOT1X-5-SUCCESS: Authentication successful for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC Dec 16 15:40:31.385: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC Dec 16 15:40:31.385: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 7c69.f6bc.5e05| AuditSessionID 0A96331D000007DA1644D6EC| AUTHTYPE DOT1X| EVENT APPLY Dec 16 15:40:31.511: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (7c69.f6bc.5e05) on Interface Fa0/3 AuditSessionID 0A96331D000007DA1644D6EC 2013/12/16 Bruno Silva <auranpr...@gmail.com> > Had the same problem with a Lab environment at home. What`s the model of > the AP and the WLC? > > In my case it meant that the AP could not run 802.1x because of the model > of network board installed on it. For some reason it was not ready and the > firmware version 12.x could not upgrade its firmware so after debugging and > trying to fix it I just gave up because cisco told me was impossible. So I > changed the model of the AP. > > BR, > Bruno Silva. > > > 2013/12/15 Bastien Migette <bastien.mige...@gmail.com> > >> Hi Kevin, No matter of flex or local, dot1x is always performed by the AP. >> The only thing you need to do for flex is normally to send >> device-traffic-class=switch to put the port in trunk mode if you have vlan >> mappings, but AFAIK nothing particular for the authentication... >> >> I would check debug eap xxx on the AP and see why it sends an alert. >> >> >> 2013/12/13 Kevin Sheahan <sheaha...@gmail.com> >> >>> Gents, >>> >>> >>> >>> The scenario: Cisco AP in Flex Connect Local-Switching and >>> authenticating 802.1x against ISE without incident. No special >>> considerations necessary, EAP-FAST(EAP-TLS), anonymous PAC provisioning. >>> When the wireless deployment changes to local-mode, 802.1x authentication >>> for the AP breaks. Same EAP-FAST(EAP-TLS) with anonymous PAC provisioning. >>> ISE reports: *12154 EAP-FAST failed SSL/TLS handshake after a client >>> alert*. Open SSL Errors include: *SSL alert: code=0x20A=522 ; >>> source=remote ; type=fatal ; message="unexpected_message" *and >>> *47010861041984:error:140943F2:SSL >>> routines:SSL3_READ_BYTES:sslv3 alert unexpected message:s3_pkt.c:1102:SSL >>> alert number 10*. >>> >>> >>> >>> My question: I’m unable to find any Cisco documentation that dictates >>> any special considerations that must be made between wireless deployment >>> modes. Why does this work in Flex Connect Local-Switching but not in Local >>> Mode? >>> >>> >>> >>> My current train of thought (feel free to derail if I’m off base): As >>> you know, in Local Mode all traffic is tunneled back to the controller >>> (CAPWAP). All of what ISE reports is showing the switch as the NAD, and >>> that is what I expect to see. However, after the EAP-FAST tunnel is built, >>> the communications seem to fail and therefore EAP-TLS inner method fails. >>> I’m wondering if the AP is sending the EAP-TLS session through the CAPWAP >>> tunnel rather than the EAP-FAST tunnel as it should. Is this possible, or I >>> am just chasing my tail? >>> >>> >>> >>> Kind Regards, >>> >>> >>> >>> Kevin Sheahan >>> >>> CCIE # 41349 (Security) >>> >>> >>> >>> _______________________________________________ >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> >>> iPexpert on YouTube: www.youtube.com/ipexpertinc >>> >> >> >> _______________________________________________ >> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >> >> iPexpert on YouTube: www.youtube.com/ipexpertinc >> > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
