802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'
Hello
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
[Config some part of authenticator]
interface FastEthernet0/1
switchport access vlan 34
switchport mode access
authentication event fail retry 1 action authorize vlan 47
authentication event server dead action authorize vlan 35
authentication event no-response action authorize vlan 47
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 15
spanning-tree portfast
[Symptoms]
After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
[Summary]
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
[Logs]
During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
1. supplicant and authenticator orderflow at wireshar:
- supplicant EAPOL Start
- authenticator EAP Request Identity
- supplicat Response Identity, 3 times
- supplicant EAPOL Start
- authenticator EAP Failure
- authenticator EAP Request Identity x2
- supplicat Response Identity x2
and again, more detail about flow from whireshar chart at the end
2. authenticator console saw like this:
*Mar 1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
krasw8021x>
*Mar 1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
and finaly
*Mar 1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
3. Authentication server:
- NPS doesn'e recived any RADIUS Access-Request/Response.
[supplicant EAPOL flow chart, source wireshark]
|Time | Cisco_f9:98:81 | Dell_12:cf:80 |
| | | Nearest |
|0,041 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,045 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,051 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|0,065 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|0,075 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,063 | | Start | |EAPOL: Start
| | |(0) <------------------ (0) |
|18,065 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|18,268 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,303 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|18,307 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|18,307 | | Response, Identity |EAP: Response, Identity [RFC3748]
| | |(0) <------------------ (0) |
|37,073 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|67,941 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|98,805 | Request, EAP-TLS [R | |EAP: Request, EAP-TLS [RFC5216] [Aboba]
| |(0) ------------------> (0) | |
|129,684 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|144,697 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|160,125 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|175,561 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|190,996 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,002 | Failure | | |EAP: Failure
| |(0) ------------------> (0) | |
|206,204 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|212,103 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|227,535 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
|242,970 | Request, Identity [ | |EAP: Request, Identity [RFC3748]
| |(0) ------------------> (0) | |
/regards Piter
Hi,
Did you ever try to configure re-authentication?
Is the client is up and running if you connect it to the switch?
Sent from Cisco Technical Support iPad App
Similar Messages
-
802.1x EAP-TLS with Cisco IP-Phone on MS NPS
Hi,
does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
With ACS it is not a problem at all.
thx
SebastianHi all !
Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
This is the last e-mail that Microsoft TAC has sent to the customer:
====================================================================================
As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
"Please find below some more information about the same from Microsoft TechNet Article :
CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
=====================================================================================
Tks for your help !!!!!!!
Luis -
ISE 802.1x EAP-TLS machine and smart card authentication
I suspect I know the answer to this, but thought that I would throw it out there anway...
With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card authentication simultaneously for wired/wireless clients (specifically Windows 7/8, but Linux or OSX would also be good). I can find plenty of information regarding 802.1x machine authentication (EAP-TLS) and user password authentication (PEAP), but none about dual EAP-TLS authentication using certificates for machines and users at the same time. I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end. For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other. Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.Hope this video link will help you
http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls -
EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s
We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
FabianThe policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU. -
802.1x eap-tls machine + user authentication (wired)
Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
<key>PayloadScope</key>
<string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
ThanksUnfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ? -
802.1x EAP-TLS for wired users with ACS 5.5
Hi All,
We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
Kindly suggest on how to get certificates for clients both manually as well as automatically?
Thanks,
VijayHi Vijay,
for the Wired 802.1x (EAP-TLS) you need to have following certificates:
On ACS--- Root CA, Intermediate CA, Server Certificate
On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself.
In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
Cheers
Minakshi(rate the helpful post) -
802.1x/EAP-TLS Fragmentation across VPN tunnel
I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
- Under the tunnel interfaces:
- MTU 1390
- MSS 1350
- PMTUD
- Under the ingress LAN interface
- route-map to set the DNF bit to 0
- On the RADIUS Server (2008 NPS)
- Framed-MTU: 1300
This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
Thanks for you help.I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.
-
Cisco ISE for 802.1x (EAP-TLS)
I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
My email: [email protected]
Cheers,
Krishil ReddyHello Mubashir,
Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).
The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.
Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.
Configure the tx-period timer.
C3750X(config-if-range)#dot1x timeout tx-period 10 -
EAP-TLS with WLC 5.2.178 Improve Performance and Roams?
Good Morning...
I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.
-
Wired 802.1x EAP-TLS Server Certificate Problem
I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
11:48:53.088 Validating the server.
11:48:53.088 Server list is empty, trusted server can not be validated.
11:48:53.088 Server list is empty, trusted server can not be validated.
11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
11:48:54.776 The authentication process has failed.
If I look at the Auth log on ACS (set to full logging) it states:
AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
If I configure the client to not check the servers certificate it all works ok.
Can anyone tell me why my server certificate is getting rejected?
Thanks,
PaulIf Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.
-
Windows EAP-TLS with machine cert only?
Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
Thanks for any clues.Hello Leroy-
EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
Cisco TrustSec Guide:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
RFC:
https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
Thank you for rating helpful posts! -
Hi there,
I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
2. Configure a Service Principal Name (SPN) for the new computer object.
3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
4. Export the certificate created for the non-domain joined machine and install it.
5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
Regards,
JeffreyUse VPP. Select an MDM. Read the google doc below.
IT Resources -- ios & OS X -- This is a fantastic web page. I like the education site over the business site.
View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
http://www.apple.com/education/resources/information-technology.html
business site is:
http://www.apple.com/lae/ipad/business/resources/
Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
good tips for initial deployment:
https://discussions.apple.com/message/18942350#18942350
https://discussions.apple.com/thread/3804209?tstart=0 -
Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
Any suggestions?Hi,
I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
Regards,
Davy -
802.1X EAP-TLS User Certificate Errors
I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers). I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
Authentication. However, when authentication mode is set to "User or Computer" or just "User" it fails. I get a "certificate is required to connect" pop up and it's unable to connect.
No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see. It seems as if there is a problem with the client certificate:
[236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
[236] 06-04 09:26:35:720: Self Signed Certificates will not be selected.
[236] 06-04 09:26:35:720: EAP-TLS will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
[236] 06-04 09:26:35:720: PEAP will accept the All-purpose cert
[236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
[236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
[236] 06-04 09:26:35:720: DwGetEKUUsage
[236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
[236] 06-04 09:26:35:720: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.
Also, in the event viewer I get the following:
Wireless 802.1x authentication failed.
Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
Local MAC Address: C4:17:FE:48:F2:79
Network SSID: *****
BSS Type: Infrastructure
Peer MAC Address: 00:12:17:01:F7:2F
Identity: NULL
User: presentation
Domain: ****
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS. I modified the "Subject Name" to "Build from Active Directory information". "Subject Name Format" is set to "Fully Distinguished Name" and "User
Principal Name (UPN) is checked. All other boxes are cleared. I verified that certificates for both user, computer , and root CA are all correctly auto enrolled. I also verified that the user certificate
exists in the "Personal" user certificate store on the client.
There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything. Please help!Hey,
I am precisely in the same situation now. I have a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
when I use the user certificate it doesn't work. Both user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
personal stores.
I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
[6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
[6472] 12-10 13:39:04:327: DwGetEKUUsage
[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
[6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
[6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
[6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode. skipping cert.Err: 0x80090014
[6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store. (A cert was needed for the following purpose: UserAuth) Aborting search for certificates.
[6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
[6472] 12-10 13:39:04:327: Self Signed Certificates will not be selected.
[6472] 12-10 13:39:04:327: EAP-TLS will accept the All-purpose cert
I am stuck at it for last few days with no real cause known as yet.!
Any help will be thoroughly appreciated!!! -
EAP-TLS with Radius Server configuration (1130AG)
Hi All,
Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
My steps for radius:- (i think this part ive actually got ok)
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
Steps for the wirless profile on a win 7 client:- this has me confused all over the place
http://technet.microsoft.com/en-us/library/dd759246.aspx
My 1130 Config:-
[code]
Current configuration : 3805 bytes
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname WAP1
aaa new-model
aaa group server radius RAD_EAP
server 10.1.1.29 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login EAP_LOGIN group RAD_EAP
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name ************
dot11 syslog
dot11 ssid TEST
authentication open eap EAP_LOGIN
authentication network-eap EAP_LOGIN
guest-mode
crypto pki trustpoint TP-self-signed-1829403336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1829403336
revocation-check none
rsakeypair TP-self-signed-1829403336
quit
username ***************
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid TEST
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
ssid TEST
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.2.245 255.255.255.0
ip helper-address 10.1.1.27
no ip route-cache
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
radius-server key ************
bridge 1 route ip
line con 0
logging synchronous
transport preferred ssh
line vty 0 4
logging synchronous
transport input ssh
sntp server 130.88.212.143
end
[/code]
and my current debug
[code]
Jan 25 12:00:56.703: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_send_msg: sending data to requestor status 0
Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: AAA/BIND(000000
WAP1#12): Bind i/f
Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
WAP1#h method EAP or LEAP
Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 25 12:01:27.581: EAPOL pak dump tx
Jan 25 12:01:27.581: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 25 12:01:27.581: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01801670: 0100002B 0101002B ...+...+
01801680: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
WAP1#
01801690: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018016A0: 6F727469 643D30 ortid=0
Jan 25 12:01:27.582: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
[/code]
Can anyone point me in the right direction with this?
i also dont like it that you can attempt to join the network first before failing
can i have user cert based + psk? and then apply it all by GPO
Thanks for any helpok ive ammdened the wireless profile as suggested
i already have the root ca and a user certificate installed with matching usernames
I had already added the radius device to the NPS server and matched the keys to the AP
now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_send_msg: sending data to requestor status 0
Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
WAP1#lient 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
WAP1#_auth_dot1x_start
Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 29 11:53:14.620: EAPOL pak dump tx
Jan 29 11:53:14.621: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.621: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808560: 0100002B 0101002B 01006E65 74776F72 ...+...+..networ
01808570: 6B69643D 54455354 2C6E6173 69643D41 kid=TEST,nasid=A
01808580: 50445741 50312C70 6F727469 643D30 WAP1,portid=0
Jan 29 11:53
WAP1#:14.621: dot11_auth_send_msg: sending data to requestor status 1
Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
WAP1#cator message to client 74de.2b81.56c4
Jan 29 11:53:14.622: EAPOL pak dump tx
Jan 29 11:53:14.622: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.622: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808690: 0100002B 0101002B ...+...+
018086A0: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
018086B0: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018086C0: 6F727469 643D30 ortid=0
Jan 29 11:53:14.623: dot1x-regi
Maybe you are looking for
-
How do get my uploaded files to show up on a different computer?
im uploading from my laptop and when I get to my desktop and login to CC the files are not showing up?? please help thanks
-
How can I remove computers from my itunes account when I no longer have the computers?
How can I remove computers from my itunes account when I no longer have the computers?
-
Ipod shuffle 2nd gen not getting detected in windows 7 64bit
i got an apple ipod shuffle 2nd gen and it is not getting connected in windows 7 64bit,but it perfectly works in windows 7 32bit,what to do.tried installiny itunes,reset etc.
-
Issue in Modifying custom table
Hi Experts Program Y00_MM modifying custom table Y00_IFS074 using internal table. we have a sales company code field in table. Internal table company code value is 00021345 . But in custom table it updated as 21345. It should be 00021345. few days ba
-
Problem Multilanguage in BPM workflow
Hi all, I want to change default language in BPM workflow when login to BPM workspace (ex: Vietnamese ...) and change properties default of Task, BPM supports multilanguage? Does somebody know how can i do it ? Thanks.