Machine Certificate Autoenroll

Hello All, I was using an Apple Script to Auto-enroll OS X 10.6 in our Microsoft PKI certificate infrastructure (Machines certificate).  The script created all the needed cert request parameters automatically, submitted it via the web based certificate request process and pulled the certificate into the system.  The certificate could be used to create and EAP/TLS wireless profile.
With Lion the script no longer works and the process for automatically requesting the certificate seems to have changed as well.
I also noticed that the Wi-Fi profile can now be created via profile, which is easier, but I don’t have an easy way to auto-enroll in my PKI infrastructure.
Has anyone come up with a good way of resolving the auto-enrollment process for certificates?
Any help or guidance is much appreciated.

Moving to AAA forum for faster response.
Vinay
Community manager - Wireless

Similar Messages

  • Renew Machine Certificate for multiple Servers

    Hi,
    We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
    expiry but the number of servers is high so we cannot do it manually by logging into each server.
    We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
    Is there a way to renew the certificates for all the servers remotely.

    On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
    We already have auto-enrolment enabled through GPO. The settings are as follows
    Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
    Update and manage certificates that use certificate templates from Active Directory ..........Enabled
    I think that you're confusing Automatic Certificate Request Services and
    autoenrollment. In your first post in this thread you mention ACRS, however
    the above settings are for autoenrollment. ACRS is only for certificates
    that are based upon V1 certificate templates and then only for machine
    certificates. Autoenrollment on the other hand does not work for anything
    less than V2 certificates and supports both machine and user certificates.
    If you're using V1 certificate templates then you can set autoenrollment
    settings in a GPO and it will not have any impact at all.
    Paul Adare - FIM CM MVP
    Remember the signs in restaurants "We reserve the right to refuse
    service to anyone"? The spammers twist it around to say "we reserve
    the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

  • SSL VPN with machine certificate authentication

    Hi All,
    I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
    Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
    The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
    btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
    Thanks in advance for your help
    Hardware is ASA5540, software version 8.2(5).
    Some pieces of the configuration below:
    group-policy VPN4TEST-Policy internal
    group-policy VPN4TEST-Policy attributes
      wins-server value xx.xx.xx.xx
    dns-server value xx.xx.xx.xx
    vpn-simultaneous-logins 1
    vpn-idle-timeout 60
    vpn-filter value VPN4TEST_allow_access
    vpn-tunnel-protocol IPSec svc webvpn
    group-lock none
    ipsec-udp enable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    default-domain value cs.ad.klmcorp.net
    vlan 44
    nac-settings none
    address-pools value VPN4TEST-xxx
    webvpn
      svc modules value vpngina
      svc profiles value KLM-SSL-VPN-VPN4TEST
    tunnel-group VPN4TEST-VPN type remote-access
    tunnel-group VPN4TEST-VPN general-attributes
    address-pool VPN4TEST-xxx
    authentication-server-group RSA-7-Authent
    default-group-policy VPN4TEST-Policy
    tunnel-group VPN4TEST-VPN webvpn-attributes
    authentication aaa certificate
    group-alias VPN4TEST-ANYCONNECT enable

    Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

  • What Certificate store is used for machine certificates

    I have a requirement to have windows 7/8 users connect to the company network using VPN & IKEv2.
    I have a RH Linux 7 firewall/authentication server that the windows clients will connect to via a vpn.
    I have generated a self-signed Certificate Authority, and a client certificate. (using NSS & certutil)
    I have configured a VPN/IKEv2 connection on my windows 7 client system.
    I have selected "use machine certificates" on the security tab.
    However when I attempt to connect to the Linux 7 server. Windows returns a 13806 error. The windows process
    for locating the certificate cannot find the certificate. (I used mmc to install both the CA certificate & the client certificate)
    So I wondering since I specified the use of machine certificates, perhaps I've installed the certificates in the wrong "store".
    Is there a special "store" for machine certificates?   

    Hi MeipoXu, many thanks for working with me on this issue.
    Thru some trial & error testing I determined the Local Computer store "combo" that DOES NOT generate
    a 13806 error (cert not found) is to import the client cert to the "Personal" store under "Local Computer"
    and import the CA into the Trusted Root Certificates store, also under the "Local Computer"
    However I still get the 13819 error Invalid Certificate Type.  When I attempt to make a connection over vpn.
    Here are the trace entries:
     Frame: Number = 4, Captured Frame Length = 234, MediaType = NetEvent
    + NetEvent:
    - MicrosoftWindowsWFP: IPsec: Receive ISAKMP Packet
      - WfpUnifiedTracing_IKE_PACKET_RECV IKE_PACKET_RECV: IPsec: Receive ISAKMP Packet
         AsciiString ICookie: 76991f2483ab8271
         AsciiString RCookie: be81c4728325eb7f
         AsciiString ExchangeType: IKEv2 SA Init Mode
         UINT32 Length: 284 (0x11C)
         AsciiString NextPayload: SA
         UINT8 Flags: 32 (0x20)
         UINT32 MessageID: 0 (0x0)
         UnicodeString LocalAddress: 192.168.10.4
         UINT32 LocalPort: 500 (0x1F4)
         UINT32 LocalProtocol: 0 (0x0)
         UnicodeString RemoteAddress: 69.54.99.132
         UINT32 RemotePort: 500 (0x1F4)
         UINT32 RemoteProtocol: 0 (0x0)
         UINT64 InterfaceLuid: 1688849960927232 (0x6000006000000)
         UINT32 ProfileId: 2 (0x2)
      Frame: Number = 5, Captured Frame Length = 121, MediaType = NetEvent
    + NetEvent:
    - MicrosoftWindowsWFP: User Mode Error
      - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
         AsciiString Function: IkeFindLocalCertChainHelper
       - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_NO_CERT
          UINT32 WinErrorValue: 0x000035EE - ERROR_IPSEC_IKE_NO_CERT - The IKE failed to find a valid machine certificate. Contact your network security administrator about installing a valid certificate in the appropriate certificate store.
      Frame: Number = 6, Captured Frame Length = 121, MediaType = NetEvent
    + NetEvent:
    - MicrosoftWindowsWFP: User Mode Error
      - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
         AsciiString Function: IkeFindLocalCertChainHelper
       - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_NO_CERT
          UINT32 WinErrorValue: 0x000035EE - ERROR_IPSEC_IKE_NO_CERT - The IKE failed to find a valid machine certificate. Contact your network security administrator about installing a valid certificate in the appropriate certificate store.
      Frame: Number = 7, Captured Frame Length = 117, MediaType = NetEvent
    + NetEvent:
    - MicrosoftWindowsWFP: User Mode Error
      - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
         AsciiString Function: IkeEncodeCertChainIkeV2
       - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
          UINT32 WinErrorValue: 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
      Frame: Number = 8, Captured Frame Length = 117, MediaType = NetEvent
    + NetEvent:
    - MicrosoftWindowsWFP: User Mode Error
      - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
         AsciiString Function: IkeEncodeCertChainIkeV2
       - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
        - HRESULT ErrorValue: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
         -  LEHResult:
            UINT32 Code:      (................0011010111111011) 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
            UINT32 Facility:  (.....00000000111................) WIN32
            UINT32 X:         (....0...........................) Reserved
            UINT32 N:         (...0............................) Not NTSTATUS
            UINT32 C:         (..0.............................) Microsoft-defined
            UINT32 R:         (.0..............................) Reserved
            UINT32 S:         (1...............................) Failure
    $$$$$$$ N O T E :   Frame Numbers 9 thru 13 are exact same error message as Frame numbers 8 (the first) and Frame 14 (the last) $$$$$$$$ Then I close the connection
    and stop the trace.  
      Frame: Number = 14, Captured Frame Length = 123, MediaType = NetEvent
    + NetEvent:
    - MicrosoftWindowsWFP: User Mode Error
      - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
         AsciiString Function: IkeConstructAndSendMMResponse
       - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
        - HRESULT ErrorValue: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
         -  LEHResult:
            UINT32 Code:      (................0011010111111011) 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
            UINT32 Facility:  (.....00000000111................) WIN32
            UINT32 X:         (....0...........................) Reserved
            UINT32 N:         (...0............................) Not NTSTATUS
            UINT32 C:         (..0.............................) Microsoft-defined
            UINT32 R:         (.0..............................) Reserved
            UINT32 S:         (1...............................) Failure
    So after a response is received from the Server (to complete the SA Initiation)
    Windows then "looks" for a cert to send to the server.
    It appears initially it can't find one because 13806 errors are reported (Frames  5 & 6)
    However the session does not issue an 13806.
    It goes on to Frame 7: Note the function IkeEncodeCertChainIkeV2 detects the invalid cert type
    Frames 8 thru 14 are just a repeat of the same error.
    Could this be a flaw in the windows VPN logic ?
    Guy

  • EAP-TLS - ACS - Machine Certificates

    Hi,
    I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195.  I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
    Which is the best ACS option to choose for machine certificate comparison:
    - Certificate Subject AlternativeName
    - Certificate Common Name
    - Certificate Binary
    Is there a guide to use for setting up machine certificate templates for Windows Clients?
    Thanks,

    CN (or Name)Comparison—Compares the CN in the           certificate with the username in the database. More information on  this           comparison type is included in the description of the Subject field of  the           certificate.
    SAN Comparison—Compares the SAN in the certificate           with the username in the database. This is only supported as of ACS  3.2. More           information on this comparison type is included in the description of  the           Subject Alternative Name field of the certificate.
    Binary Comparison—Compares the certificate with a           binary copy of the certificate stored in the database (only AD and  LDAP can do           this). If you use certificate binary comparison, you must store the  user           certificate in a binary format. Also, for generic LDAP and Active  Directory,           the attribute that stores the certificate must be the standard LDAP  attribute           named "usercertificate".
    Whatever comparison method is used, the information in the  appropriate       field (CN or SAN) must match the name that your database uses for       authentication.

  • Machine Certificate will not be recognized

    Hi All, i have a Setup as Follows
    - 5508/1142
    - heterogenous Client with WZC, XP, SP3, SSO
    - ACS 5.2, MS AD
    Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.
    Where am i wrong, any help welcome.
    BR, Michael

    Hi Michael,
    This is how it works when you select the certificate method under the WZC:
    Computer authentication works only before logon
    By default, after logon, only user authentication works. This means that each user on the system needs a certificate (!) including administrator This can be overridden by AuthMode=2, but this is system-wide,  implying that for a different wireless network user authentication won't  work either. So AuthMode is not an option (except the computer is only used in one 802.1X network)
    This implies too that as soon as there is a computer certificate and no user certificate the network just does not work!
    This way it is not possible to use e.g. EAP-TLS with  certificates for computers and PEAP-MSCHAPv2 with username/password for  users
    So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).
    If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Machine certificate RADIUS wireless login

    Hi all,
    I have a customer who want's to have a computer authentication against RADIUS (allow only school devices to connect through SSID). As I am a network engineer I am struggling with NPS settings and machine certificates.
    I have lab settings in our office where I am using Windows Server 2012 and configured domain certificates using the links below
    https://4sysops.com/archives/how-to-deploy-certificates-with-group-policy-part-2-configuration/#creating-the-certificates
    http://www.petenetlive.com/KB/Article/0000919.htm
    Under NPS I have two policies, one for domain devices and one for non-domain devices
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                        Machine groups - domain\Domain devices  - PC added to that group
    Constraints - Auth. method - Microsoft Smart Card or other certificate
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
    Constraints - Auth. method - Microsoft Protected EAP (PEAP)
    When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    password is correct as I am using same one for iPad as well as computer login
    Anybody with an idea why it's not working?
    Thanks

    Under NPS I have two policies, one for domain devices and one for non-domain devices
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                        Machine groups - domain\Domain devices  - PC added to that group
    Constraints - Auth. method - Microsoft Smart Card or other certificate
    Domain_devices policy:
    Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
    Constraints - Auth. method - Microsoft Protected EAP (PEAP)
    When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
    Hi Lukas,
    Based on your description, the first policy is for domain devices, the second policy is for non-domain devices, the iPad is non-domain device and the laptop is domain device, is that
    right?
    Due to the certificate was deployed via GPO, have you checked if the user or computer certificate was installed successfully in the laptops?
    To verify if the user certificate was installed in the laptop, please follow steps below,
     1. Click
    Start, click Run, enter MMC to open a Console.
     2. Click
    File, click Add/Remove Snap-in,
     3. In the Add or Remove Snap-ins, click
    Certificates, click Add, check My user account, click
    Finish, click OK.
     4. Expand
    Console Root\Certificates-Current User\Personal, if there are not any certificate in this container, it shows that user certificate was not installed successfully.
    To verify if the computer certificate was installed in the laptop, please follow steps below,
     1. Click
    Start, click Run, enter MMC to open a Console.
     2. Click
    File, click Add/Remove Snap-in,
     3. In the Add or Remove Snap-ins, click
    Certificates, click Add, check Computer account, click
    Finish, click OK.
     4. Expand
    Console Root\Certificates(Local Computer)\Personal, if there are not any certificate in this container, it shows that computer certificate was not installed successfully.
    Also, the NPS server and laptops are all need to trust CA, so please check if there is a CA certificate in the
    Trusted Root Certification Authorities\Certificates container.
    Best Regards,
    Tina
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

  • I want to bind my client certificate with machine certificate in order to bind user with dedicated one machine. Kindly help

    I have created one dedicated root CA for domain and auto enrollment has been enabled through Group Policy.
    I want to bind my client certificate with machine certificate in order to bind user with dedicated with one machine. In order to prevent duplicate logins

    Hi,
    How about using
    User Rights Assignment?
    You can deny all other users’
    log on locally right on the machine.
    User Rights Assignment
    http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
    Best Regards,
    Amy Wang

  • EAP-TLS with machine certificate

    Hello all,
    I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
    Thanks a lot.
    Best regards.

    Hi Alfonso, 
    Certificate Retrieval for EAP-TLS Authentication
    ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
    ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
    After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
    Configuring CA Certificates
    When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
    If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
    You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
    Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
    Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
    Also check the below link,  
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

  • Windows built-in IKEv2 clients are not finding a valid machine certificate

    Hi All,
    I'm trying to connect windows built-in clients to a Cisco IOS IKEv2 headend. I want to use EAP to authenticate the clients with there AD credentials. For EAP, I need to use certificates so I will use self-signed certificates as I don't have a CA. 
    Once I have ceated a certificate for the headend, i import this on the clients Trusted Root Certification Authorities. But when I try to connect the client to the headend, I get an error message from the client "Error 13806: IKE failed to find valid machine certificate". It seems that Microsoft is having issue with the certificate. 
    Does anyone have an idea what I'm doing wrong? 
    Headend config:
    aaa new-model
    aaa group server radius AAA-AuthC-Group-RA
     server-private v.v.v.v auth-port 1812 acct-port 1813 key secret
    aaa authentication login AAA-AuthC-List-RA group AAA-AuthC-Group-RA
    aaa authorization network AAA-AuthZ-List-RA local 
    crypto pki trustpoint PKI-TP-SS-RA
     enrollment selfsigned
     serial-number none
     fqdn headend
     ip-address none
     subject-name cn=x.x.x.x
     revocation-check none
     rsakeypair PKI-TP-SS-RA-Key 2048
     eku request server-auth 
    ip local pool IKEV2-POOL-RA 10.0.0.10 10.0.0.250
    crypto ikev2 authorization policy IKEV2-AUTHORIZATION-POLICY-RA 
     pool IKEV2-POOL-RA
     dns 10.0.0.1
     netmask 255.255.255.0
    crypto ikev2 proposal IKEV2-PROPOSAL-RA 
     encryption aes-cbc-256
     integrity sha1
     group 2
    crypto ikev2 policy IKEV2-POLICY-RA 
     proposal IKEV2-PROPOSAL-RA
    crypto ikev2 profile IKEV2-PROFILE-RA
     match identity remote key-id mydomain.com
     identity local dn 
     authentication remote eap query-identity
     authentication local rsa-sig
     pki trustpoint PKI-TP-SS-RA
     dpd 60 2 on-demand
     aaa authentication eap AAA-AuthC-List-RA
     aaa authorization group eap list AAA-AuthZ-List-RA
     virtual-template 10
    no crypto ikev2 http-url cert
    crypto ipsec profile IPSEC-PROFILE-AES-256
     set transform-set IPSEC-AES-256 
    crypto ipsec profile IPSEC-PROFILE-AES256-SHA1
     set transform-set IPSEC-AES256-SHA1 
     set ikev2-profile IKEV2-PROFILE-RA
    interface Loopback10
     ip address 10.0.0.1 255.255.255.0
    interface Virtual-Template10 type tunnel
     description FlexVPN-RA tunnel
     bandwidth 20000
     ip unnumbered Loopback10
     ip mtu 1400
     ip flow ingress
     ip tcp adjust-mss 1360
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile IPSEC-PROFILE-AES256-SHA1

    Please tell me where my Mail is getting Elementary School-isized. anyone?
    Mail's Preferences do not affect what is seen at the other end, they are only for local display. To have the recipient see your desired font, you must set it individually for each message in the New Message pane (also you should make it different than what is set in the Preferences, because of a bug). Or you can use custom Stationery.
    A workaround used by some is to create a signature in your desired font and begin your message in the first line of the sig.
    If these options are not satisfactory, best to switch to Entourage or Thunderbird.

  • L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates

    I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect.
    I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with WindowsXP. The certificates have "subjectAltName=" key/value pairs assigned to the IP address of the VPN server.
    Once generated I import the certificates into OS X (you have to run KeyChain Access with "sudo" from the console to get this to work). The certificate authority seems to be ok, the CA has been added to the x509Roots, and when I examine the machine certificate for my OS X install using KeyChain Access the certificate is marked valid.
    I generated the hash link for the certificate:
    ln -s /etc/racoon/certs/certname.pem /etc/racoon/certs/'openssl x509 -noout -in certname.pem'.0
    From the console I run '
    openssl verify certname.pem
    It fails unless I specify '-CAPath /etc/racoon/certs', then it passes.
    When Internet Connect is setup to use the certificates I can see in the OpenS/WAN logs that the OS X box connects and negotiates IPSEC to MAIN_3. At this point pluto logs the following:
    ignoring informational payload, type INVALIDCERTAUTHORITY
    This repeats for several re-tries before the OS X side gives up. No useful logging is generated on the OS X side for me to debug, and everything from the OpenS/WAN side seems to be kosher, it appears to be an oakley/racoon issue with validating the machine certificate provided by OpenS/WAN to the OS X side, with the OS X side unable to verify the certificate.
    Has anyone solved this? Any ideas on how to improve the logging output from OS X so I can see what racoon/oakley is carping about in the certificate files it is using?

    I'm having the same problem. I've got a machine cert on my Mac OS 10.4.6 client that was issued by my Win2003 CA. When I try and connect, it just hangs and then dies. In the Security Logs on the 2003 L2TP server, I even see a successful IKE negotiation (MS Event ID 541 and 543 below).
    EventID 541:
    IKE security association established.
    Mode:
    Key Exchange Mode (Main Mode)
    Peer Identity:
    Certificate based Identity.
    Peer Subject C=US, S=City, L=State, O=Company, OU=group, CN=machine.subdomain.company.com, E=[email protected]
    Peer SHA Thumbprint peerthumbrint
    Peer Issuing Certificate Authority O=company.com, CN=Certificate Authority
    Root Certificate Authority O=company.com, CN=Certificate Authority
    My Subject CN=server.subdomain.company.com
    My SHA Thumbprint mythumbrint
    Peer IP Address: x.x.x.x
    Filter:
    Source IP Address x.x.x.x
    Source IP Address Mask 255.255.255.255
    Destination IP Address x.x.x.x
    Destination IP Address Mask 255.255.255.255
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr x.x.x.x
    IKE Peer Addr x.x.x.x
    IKE Source Port 500
    IKE Destination Port 500
    Peer Private Addr
    Parameters:
    ESP Algorithm Triple DES CBC
    HMAC Algorithm SHA
    Lifetime (sec) 3600
    MM delta time (sec) 1
    EventID 543:
    IKE security association ended.
    Mode: Key Exchange (Main mode)
    Filter:
    Source IP Address X.X.X.X
    Source IP Address Mask 255.255.255.255
    Destination IP Address X.X.X.X
    Destination IP Address Mask 255.255.255.255
    Protocol 0
    Source Port 0
    Destination Port 0
    IKE Local Addr X.X.X.X
    IKE Peer Addr X.X.X.X
    IKE Source Port 500
    IKE Destination Port 500
    Peer Private Addr
    At least give me a some methods to debug with.

  • ACS user and machine certificate.

    Hi Community!
    When trying to authenticate machine and users to an ACS 5.5 we have encountered some problems by trying to make this work.
    The principal username in the user certificate is in the CN field and the principal username in the machine certificate is in the SAN=DNS field.
    In the Certificate Authentication Profile I have configured that the principal username is the CN and this works only when the user is validated, but when I change it to SAN=DNS the user cannot validate but the machine does. I tried adding to fields but it seems this is impossible in the identity store sequence.
    So I went ahead and created to authentication profiles in the identity portion of the access policy, one for machine and one for user (with their respective identity store sequence) and the behavior is almost the same.
    Am I doing something wrong in here? Can this scenario be achieved with the types of certificates we use?
    Thanks in advance

    Did you ever figure this one out ? I may have the same type issue.
    thanks
    [email protected]

  • Loading a Machine Certificate into System Keychain

    Does anyone know how to load a machine certificate (with a private key) into the System keychain?
    I can load the certificate if it doesn't have a private key, but then Internet Connect won't recognize it as a valid machine certificate. It seem Internet Connect only looks in the shared System Keychain for certificate for the L2TP over IPSec certificate authenticated protocol.
    I tried manually loading a Keychain that had a machine certificate in it already, but I ran into the old problem of the System Keychain requesting a password that nobody knows and when racoon tries to get the certificate from the System keychain it can't and fails.
    mtennes@asher:>>sudo /usr/sbin/systemkeychain -v -t
    Testing system unlock of /Library/Keychains/System.keychain
    (If you are prompted for a passphrase, cancel)
    System unlock is NOT working
    If I create a fresh System keychain that can be unlocked automatically I can't load a valid machine certificate with a private key into the System keychain, I can however load that same certificate into any keychain I create or event the X509Anchors keychain, but of coarse Internet Connect doesn't look there.
    mtennes@asher:>>sudo rm -rf System.keychain
    mtennes@asher:>>sudo /usr/sbin/systemkeychain -v -C
    /Library/Keychains/System.keychain installed as system keychain
    mtennes@asher:>>sudo /usr/sbin/systemkeychain -v -t
    Testing system unlock of /Library/Keychains/System.keychain
    (If you are prompted for a passphrase, cancel)
    System unlock is working
    Any ideas?
    PowerMac G5 2.7GHz DP   Mac OS X (10.4.6)   thawte Web Of Trust Notary

    How about using
    sudo systemkeychain -v -k /Library/Keychains/System.keychain -C "password"
    where “password” is the new keychain password that you want to give to the System keychain?
    That way you should be able to unlock the System.keychain to add whatever you need to add to it, because now you know the password.
    Ronald

  • Mmc reguest machine certificate - wrong templates displayed

    I have duplicated Computer template, so it has Autoenrollment available
    Template is published & works on lots of machines (they do autoenrol)
    This template is also available on most machines if I select request certificate manually from MMC Comuter context
    But on some machines in mmc I get only OLD (no longer published) certificate enrollment templates.
    No matter what I try to do, I can not refresh these templates (as seen on client)
    Anything special needs so client picks up correct templates?
    Seb

    Sorry, but that is not true. The client CAN resolve LDAP context, the client CAN receive autoenrolled certificate (as it does autoenroll), client does not need to be domain rejoined (as it works perfectly fine - otherwise I would see other issues with it,
    right?)
    Client CAN (and does) receive list of templates (as I can see them in HKCU/Microsoft/Cryptography/CertificateTemplateCache )
    I did clear HKLM/Microsoft/Cryptography/CertificateTemplateCache
    On a client that received autoenroll certificate, as a domain admin I run:
    mmc, computer, local, personal, certificate, request
    The list shown is old (definitely not current)
    Must be some sort of cache, but read from WHERE?
    Seb

  • ISE EAP-Chaining with machine, certificate and domain credentials

    Good morning,
    A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
    Corp. wireless to authenticate with 2-factor authentication:
    •1. Certificate
    •2. Machine auth thru AD
    •3. Domain creds
    When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
    Clients are Windows laptops and corporate iPhones.
    Certs can be issued thru GPO and MDM for iPhones
    Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
    My first question is: can this be done?
    Second question: how would i implement this from an AuthC/AuthZ perspective?
    Thanks in advance,
    Andrew

    You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
    For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
    Good luck and keep in touch.
    http://support.microsoft.com/kb/2743127/en-us

Maybe you are looking for

  • 'Disk cannot be read from or written to' when syncing iPhone 3GS

    Hi everybody, I have had a problem for a few weeks now, and can't find a solutions to it. My iPhone 3GS won't sync music anymore. It gets stuck at the first song, sometimes it can copy a very few and then crashes, with iTunes displaying the message "

  • Account assigment category for purchase order release stratery

    Dear Experts, This question is with regard to setting up a release stratergy for a purchase order. We have a business requirement that requires different PO release stratergies based on account assignment category (EKPO-KNTTP). However the stucture C

  • File Sender - get files from DB4 and OS400

    Hi, I'm configuring File - IDOC scenario on XI system, which is on Win platform. I want to pick up flat txt files on DB4 and OS400 via FTP but I+m constantly getting message: Could not process due to error: com.sap.aii.adapter.file.ftp.FTPEx: 550  No

  • How to find Database, APPL_TOP and IANA character set on 11i?

    Hi, Could you please tell How to find out Database character set, APPL_TOP character set and IANA character set on existing 11i environment? This is required to pass the input during R12 upgrade. Regards, AV

  • Using Access forms after migrating data to Oracle

    Hi, One of the features provided by the original Migration Workbench appears to be the ability to modify a migrated Access database to use an ODBC connection to Oracle so that the original forms could still be used. I have just been through the proce