Hi All,
Hoping the community can assist me with a weird problem i have found.
I have a CPPM 6.4.2 setup performign EAP-TLS for Wired /Wireless clients (Windows 7 ) using certificates.
The problem i have is that the initial connection attempt fails to complete across multiple controller / cisco switch platforms. This shows up as a timeout on clearpass (client did not complete EAP transaction) and an error on the client.
I've narrowed it down to the fact that the custom EAP-TLS method we're using in ClearPass did not have session resumption enabled. I've spent days going over packet captures and have found that every one of the fail cases was where the client was sending the EAP-TLS Client-Hello message with a 32 bit session ID.
The response form ClearPass appears to be normal in that it responds with a nulll session ID.
From here i ran RAS logs on windows and found that at the end of the handshake the following error occurs:
pTlsMakeMessage(host/computer.domain.com)
[11328] 02-10 12:15:07:355: >> Received Request (Code: 1) packet: Id: 10, Length: 13, Type: 13, TLS blob length: 0. Flags:
[11328] 02-10 12:15:07:355: EapTlsCMakeMessage, state(2) flags (0x3410)
[11328] 02-10 12:15:07:355: MakeReplyMessage
[11328] 02-10 12:15:07:355: SecurityContextFunction
[11328] 02-10 12:15:07:355: InitializeSecurityContext returned 0x80090326
[11328] 02-10 12:15:07:355: Returning error -2146893018
[11328] 02-10 12:15:07:355: State change to RecdFinished. Error: 0x80090326
[11328] 02-10 12:15:07:355: BuildPacket
[11328] 02-10 12:15:07:355: << Sending Response (Code: 2) packet: Id: 10, Length: 6, Type: 13, TLS blob length: 0. Flags:
[16496] 02-10 12:15:07:371:
[16496] 02-10 12:15:07:371: EapTlsMakeMessage(host/computer.domain.com)
[16496] 02-10 12:15:07:371: >> Received Request (Code: 1) packet: Id: 11, Length: 10, Type: 13, TLS blob length: 0. Flags: L
[16496] 02-10 12:15:07:371: EapTlsCMakeMessage, state(4) flags (0x3400)
[16496] 02-10 12:15:07:371: Unexpected code: 1 in state RecdFinished
At the same time as this the windows CAPI2 event logs show a repeating error similar to this:
- UserData
- CryptCATAdminEnumCatalogFromHash
- CATQueryInfo
[ nextEnum] true
[ hash] 387E2E76C44D6BA72B38C14C4E69A2CDC8718842
- EventAuxInfo
[ ProcessName] wmpnetwk.exe
- CorrelationAuxInfo
[ TaskId] {D042E902-4537-4A2A-B11B-07E49382D159}
[ SeqNumber] 1
- Result Element not found.
[ value] 490
The client then fails to respond to the TLS Certificate request and doesn't send it's user certificate hence the session timeout occurs.
After this the client restarts authentication attempt with Client Hello showing TLS session ID of 0. The process the repeates and authentication is successful.
When i enable session resumption the problem seems to go away.
This leaves me with 2 main questions:
1) Is this normal client behaviour when session resumption is not enabled (i'm thinking no)
2) Is there any practical / valid reason not to use session resumption for EAP-TLS.
Scott