LAN Enforcer Blocks PEAP+TLS Authentication
|Article:TECH139791|||||Created: 2010-09-14|||||Updated: 2010-10-07|||||Article URL http://www.symantec.com/docs/TECH139791|
Several WYSE thin clients are being authenticated by the local Cisco ACS RAIDUS server. The thin clients are not running an Windows OS and do not have the SEP 11+SNAC agent installed. With the LAN Enforcer 6100 appliance placed inline with the networked the WYSE thin clients are no longer able to authenticate with the RAIDUS server.
The enforcer kernel.log file reports a PEAP timeout and the client is not authenticated by the RAIDUS server which results in the client not being allowed onto the network.
The network environment would include a RAIDUS server, LAN 6100 Enforcer Appliance, SEP 11 manager, and WYSE thin client or device that uses PEAP+TLS authentication. Software version of the LAN Enforcer was 11.0.5 or below.
The current enforcer 11.0.5 sofware would prevent PEAP+TLS authentication from being forwarded to the RAIDUS server causing a timeout. Issue was caused by the softwares inability to handle TLS authentication traffic. If the LAN Enforcer was removed from the environment then authentication between the thin client and RAIDUS server occurs as expected.
Update the LAN Enforcer software to the latest 11.0.6 RU6 MP1 release. The updated enforcer software release is available on Symantec fileconnect and Platinum web sites.
Ignore Check Commands for TLS (RU6 MP1 or Later)
Article URL http://www.symantec.com/docs/TECH139791