Guest

Preview Tool

Cisco Bug: CSCun95157 - 802.1x authentication fails due to unexpected empty TLS message

Last Modified

Nov 21, 2018

Products (35)

  • Cisco IP Phone 8800 Series
  • Cisco Unified Wireless IP Phone 7920
  • Cisco Unified IP Phone 7945G
  • Cisco Unified IP Phone 7962G
  • Cisco Unified IP Phone 7971G-GE
  • Cisco Unified IP Phone Expansion Module 7914
  • Cisco Unified IP Phone 9951
  • Cisco Unified IP Phone 6961
  • Cisco Unified IP Phone 6941
  • Cisco Unified IP Phone 7911G
View all products in Bug Search Tool Login Required

Known Affected Releases

9.3(3)

Description (partial)

Symptom:
802.1X EAP-TLS authentication fails on 6945 phones to Cisco ISE due to Unexpectedly received empty TLS message.

Conditions:
Topology:

IP Phone 6945 --- Alcatel switch --- ISE --- CUCM 

Observed with SIP firmware 9.3(3).

ISE logs show the following information:

---------------------
Overview
Event 5400 Authentication failed
Username CP-6945-SEP00077d65158b
Endpoint Id 00:07:7D:65:15:8B
Endpoint Profile
Authorization Profile
ISEPolicySetName Default

Authentication Details
Source Timestamp 2013-11-06 11:01:23.284
Received Timestamp 2013-11-06 11:01:23.284
Policy Server SBCDF898
Event 5400 Authentication failed
Failure Reason 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
Username CP-6945-SEP00077d65158b
User Type
Endpoint Id 00:07:7D:65:15:8B
Endpoint Profile
IP Address
Identity Store
Identity Group
Audit Session Id
Authentication Method dot1x
Authentication Protocol EAP-TLS 
---------------------
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.