Hi Gang,
I get the following auth failure for machines connecting wirelessly through a Cisco AP-1142N:
eap: Calling submodule eap_tls to process data eap_tls: Continuing EAP-TLS eap_tls: Peer indicated complete TLS record size will be 31 bytes eap_tls: Got complete TLS record (31 bytes) eap_tls: [eaptls verify] = length included eap_tls: <<< recv TLS 1.2 [length 0002] eap_tls: ERROR: TLS Alert read:fatal:access denied eap_tls: SSL_read Error eap_tls: ERROR: Error in fragmentation logic eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied eap_tls: ERROR: [eaptls process] = fail eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed eap: Sending EAP Failure (code 4) ID 12 length 4 There appears to be no method to this madness. Same setup[1] at our auxiliary site and everything works fine.
I don't know how to interpret this error, so looking for a root cause has so far escaped me. Some of our Windows 10 workstations connect without any problems, some won't. The only obvious difference between those two locations is the model of Cisco WAP involved. Could this be an authenticator issue?
Any pointers greatly appreciated!
Mike
[1] v.3.0.17 on Debian 10.3
it would be great to see the full debug output, but it looks like the EAP-Message attribute from the radius client contains TLS Alert "eap_tls: <<< recv TLS 1.2 [length 0002]" with error code 49 (access denied). Instead of alert, the client should send Client Hello.