7925g plus EAP-TLS plus wildcard cert

Similar Messages

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!

• Scripting WPA2 EAP+TLS setup (incl. cert)

  We have a bunch of Mac OS X users that we'd like to enable WPA2 EAP+TLS for. This would involve setting up the 801.2x connections and distribution of certificates to each machine. We'd like to minimize the effort on the user's part to set it up, so ideally we'd like to be able to package up a script that would install the machine certificate and configure the 802.1x connection for them. I was thinking of some AppleScript to do it.
  Any ideas? I'm well aware of the procedure to do it manually (via GUI), but I'm looking to automate the process. I've been googling for an example that either automates it through AppleScript or shows the procedure done entirely at the UNIX command-line (which is fine too).

  Perhaps the bottom half of this page would help you glean some command line stuff...
  http://felipe-alfaro.org/blog/2005/11/01/wpa-enterprise/

• TLS support wildcard cert?

  Hi everyone,
  I'm planning to enable TLS on our email traffic, but was wondering if that will conflict with the wildcard certificate we currently have enabled on the server?
  I couldn't find any information about smtp tls errors because of it on google, but was wondering if anyone has specific experience with it.

  The IronPort email security appliance cannot use certificates with wildcards when verifying a certificate.
  If you want to verify success or failure on TLS connections from the IronPort point of view, you can use the knowledgebase article below to search for those connections.
  How can I determine if my IronPort is using TLS for delivery or receiving?
  http://tinyurl.com/py4tw
  Hi everyone,
  I'm planning to enable TLS on our email traffic, but was wondering if that will conflict with the wildcard certificate we currently have enabled on the server?
  I couldn't find any information about smtp tls errors because of it on google, but was wondering if anyone has specific experience with it.

• Ironport email appliance : can i use a wildcard cert for TLS ?

  Hi all,
  We have 2 ironport C170 email appliance. I would like to use a wildcard SSL Cert from Digicert for TLS communication. I have 2 questions about it : 
  1/ Is it possible to use wildcard certificat on ironport ?
  2/ Is there any known problem with wildcard certificat for TLS use ?
  I found 2 (old) post about that :
  https://supportforums.cisco.com/discussion/10479161/tls-support-wildcard-cert
  http://www.symantec.com/connect/forums/someone-wants-enforce-tls-us-and-use-wildcard-cert
  Does someone has experience about it ?
  Thanks.

  My experience is that it works fine.
  If you have multiple domains, you have to make sure that the MX records point to the A record of the box you have certs for.
  eg. something like this:
  mx domain1.com  smtp.domain2.com
  mx domain2.com  smtp.domain2.com
  a smtp.domain2.com  x.x.x.x

• ACS 4.0 EAP-TLS Cert not working

  Hey,
  so i generated my certificate signing request, took it to my CA, got a cert. From "ACS Certification Authority Setup" i installed it onto my ACS appliance, then from "Install ACS Certificate" installed it (it prepopulated the privkey and password so i assume it got that from the cert file). I then add the CA from the "Edit Certificate Trust List". All this goes off without a hitch.
  However when i try to add the "Certificate Revocation List" I am unable to add both LDAP:\\\ and http://. I have confirmed that the http:// is working on the CA, and every indication is that the ldap is working too but i don't know of the tools to test that with.
  When i go into "System Configuration"->"Global Authentication Setup"->"Allow EAP-TLS" i get the following error.
  Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.
  What exactly is not installed about the Certificate? it's on the ACS server, it's configured and the date range is correct.
  I've been banging my head against this all day and could use some suggestions. :)

  Ok, i now understand it a little better. I needed to install 2 certificates. the first being the Root CA's certificate in the "ACS Certification Authority Setup" section (i mistakenly thought this was simply where i download my generated cert for the next spot.
  The second cert is the one i generated using "Generate Certificate Signing Request", i then took that to my Root CA, generated a cert and installed that along with the private key under "Install ACS Certificate".
  Thanks for pointing me in the right direction since the error i was getting wasnt helpful to me.

• ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

  Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
  Long story short, what I'd like to do is: 
  User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
  Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
  personally owned devices only allowed to do ICA,
  corporate device can use SQL, RDP, etc...
  Thoughts, ideas?

  Not sure i understand your response, or perhaps my original question isn't clear.
  User authenticates with EAP-TLS / User cert
  User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
  Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
  My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• Will CA cert be pushed along with the sever cert to the client in eap-tls?

  Hi All,
  I'm aware of that in eap-tls, the server-side cert will be pushed to the wireless client. I'm wondering if the CA root cert of the Radius server will be pushed as well. If not, I guess the client must have the CA cert pre-installed. Is there any documentation to describe this?
  Thanks in advance.
  Robert

  Thanks Scott.
  I'm a little bit confused. Based on the following url, somebody said sever will send the server cert and the CA. Can you show me the documentation that can explain in detail.
  http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients
  When the server sends a certificate, it actually sends a certificate chain,  including the CA which issued it, and the CA above it, and so on, up to  the root (the root itself may be sent, but this is optional).

• Installing wildcard cert on ISE for HTTP/EAP

  I need to install a wildcard cert on ISE, but have no experience with wildcards.  I have the *.domain certificate, but i am not sure of the process, and the Cisco docs add to the confusion.  Am i supposed to generate a new CSR to give to the CA, do i simply install the *.domain cert?  I have read the install guide and it of course makes the assumption that you know what you're talking about, and when it comes to installing wildcards, i don't know...
  Any assistance would be greatly appreciated

  If you are already in the possession of the wildcard cert and the private key, then you don't need CSR. You can simply import the certificate in ISE:
  1. Go to Administration > Certificates > Local Certificates >  Add > Import Server Certificate
  2. Use the "browse" buttons to point to the certificate file and private key
  3. Check "Allow Wildcard Certificates"
  4. Select the protocol that you want to use it for (EAP or HTTPS or both)
  5. Hit submit
  6. Go to Certificates Store
  7. Import the root CA certificate and Intermediate CA certificate(s) (If any)
  Thank you for rating helpful posts!

• EAP-TLS FAILING ON WIRELSS IPPHONE CP-7925G

  Hi all,
  we had enabled the eap-tls authentication on our WIFI network. We are using Cisco ACS 1113 & Microsoft Certificate Server for this setup. Currently we are able to successfully authenticat EAP-TLS on computer, but the Phones are not registering the network.
  On the ACS we are getting the following error.
  "EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake".
  Thanks
  Nibin       

  Dear all
  Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
  Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
  AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
  AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
  AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
  AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
  AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
  AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
  AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
  AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
  AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
  AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
  Thanks
  Nibin Rodrigues

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• ISE 1.3 public wildcard cert

  Is it a good idea and common practice to just use public CA for wildcard certificate on each ISE node to avoid any certificate warnings on non-corporate devices? 
  is it ok then to use it also for EAP-TLS authentication? Clients will still have internal CA certs.
  Or should we have a separate internal wildcard cert just for EAP-TLS. In this case, will ISE 1.3 allow me to have to wildcard certs with the same SAN (*.domain.com), one is public, the other is internal. The public one would apply to Web portals, and internal one would apply to EAP-TLS/

  Hi Trevor-
  The use of Wildcard cert is perfectly acceptable for the guest portals. As you said, this will ensure that guest users don't get the certificate trust error. 
  However, for the EAP side of the house, you will need to get a non-wildcard certificate. Many supplicants (including Windows) will NOT accept a wildcard certificate when building an EAP tunnel.
  I hope this helps!
  Thank you for rating helpful posts!